From 821f87d72dda1f5577146d38a90ab2a62589a3f4 Mon Sep 17 00:00:00 2001 From: peter Date: Wed, 10 Sep 1997 04:02:37 +0000 Subject: Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on rule 65535 --- sbin/ipfw/ipfw.8 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index a671b63..da7d95a 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -93,6 +93,17 @@ This rule is the default policy, i.e., don't allow anything at all. Your job in setting up rules is to modify this policy to match your needs. .Pp +However, if the kernel option +.Dq IPFIREWALL_DEFAULT_TO_ACCEPT +is active, the rule is instead: +.Bd -literal -offset center +65535 allow all from any to any +.Ed +.Pp +This variation lets everything pass through. This option should only be +activated in particular circumstances, such as if your you use the firewall +system as an on-demand denial-of-service filter that is normally wide open. +.Pp The following options are available: .Bl -tag -width flag .It Fl a @@ -107,10 +118,11 @@ While adding or flushing, be quiet about actions (implies '-f'). This is useful for adjusting rules by executing multiple ipfw commands in a script (e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules, across a remote login session. If a flush is performed in normal -(verbose) mode, it prints a message. Because all rules are flushed, the +(verbose) mode (with the default kernel configuration), it prints a message. +Because all rules are flushed, the message cannot be delivered to the login session, the login session is closed and the remainder of the ruleset is not processed. Access to the -console is required to recover. +console is required to recover. .It Fl t While listing, show last match timestamp. .It Fl N -- cgit v1.1