Bug 46747

	Even though LINT contains an IPFW foot-shooting warning, the step-by-step instructions on enabling IPFW at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html do not. Consequently, administrators following the above instructions to the letter are likely to lock themselves out of their machines.

Fix: Apply the following doc patch to /usr/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml



<para>There are currently three kernel configuration options relevant to
        IPFW:</para>--Y6vv6lp0RfBqbXVU2mKzdUaqOo0EIjjd8JCeiL8P7bEL876Q
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

*** chapter.sgml.orig   Sat Jan  4 07:52:10 2003
--- chapter.sgml        Sat Jan  4 08:34:58 2003
***************
*** 2048,2053 ****
--- 2048,2067 ----
        linkend="kernelconfig">)
        for more details on how to recompile your
        kernel.</para>
+
+       <note><title>Warning</title>
+       <para>IPFW defaults to a policy of "deny ip from any to any".
+       If you do not add other rules during startup to allow access,
+        <emphasis>you will lock yourself out</emphasis> of the server upon
+        rebooting into a firewall-enabled kernel. It is therefore
+        suggested that you set firewall_type=open in /etc/rc.conf when first enabling
+        this feature, then refining the firewall rules in /etc/rc.firewall
+        after you've tested that the new kernel feature works properly. To be
+        on the safe side, you may wish to consider performing the initial
+        firewall configuration from the local console rather than
+        via <application>ssh</application>.
+       </para>
+       </note>