--z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 04, 2004 at 09:24:40PM -0500, David Edwards wrote: > Hello folks.. I have a quick question ipfw in a 4.8 server.. >=20 > In /etc/rc.conf, if you set this - firewall_type=3D"OPEN", is it also > necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel con= fig > file? No, firewall_type=3D"open" will work even without the default-to-accept kernel config option. The presence or absence of the kernel configuration option determines what rule 65535 will be at startup: at the initialization of the ipfw framework, it places a rule numbered 65535, which is either 'allow' if the option is present, or 'deny' if it is not. The firewall_type=3D"open" rc.conf knob determines the behavior of the /etc/rc.firewall script (which can be overridden by setting firewall_script=3D"something else" in /etc/rc.conf) - and rc.firewall's 'open' mode creates a rule numbered 65000. Since ipfw terminates the rule search on the first match, rule 65000 will be processed before rule 65535, and the kernel's default will never be considered - firewall_type=3D"open" trumps the presence or absence of the IPFIREWALL_DEFAULT_TO_ACCEPT option. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence were in Chinese, it would say something else. --z6Eq5LdranGa6ru8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFASCTZ7Ri2jRYZRVMRAv+mAJ9EiC8Ndzc5xyfsQjGM0fV1rew02wCgqesp pZfSre7p947ISNi2jF9EnwU= =ithv -----END PGP SIGNATURE----- --z6Eq5LdranGa6ru8--