From ffdd472de7a1a10f7f8fc8a0b5b343d52eb10d22 Mon Sep 17 00:00:00 2001
From: Peter Wemm <peter@FreeBSD.org>
Date: Wed, 10 Sep 1997 03:07:14 +0000
Subject: [PATCH] Allow a compile-time override of the ipfw deny rule.  For a
 'firewall' you don't want this (and the documentation explains why), but if
 you use ipfw as an as-needed casual filter as needed which normally runs as
 'allow all' then having the kernel and /sbin/ipfw get out of sync is a
 *MAJOR* pain in the behind.

PR: 4141
Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
---
 sys/conf/NOTES      | 10 +++++++++-
 sys/conf/options    |  3 ++-
 sys/i386/conf/LINT  | 10 +++++++++-
 sys/i386/conf/NOTES | 10 +++++++++-
 sys/netinet/ip_fw.c | 24 ++++++++++++++++--------
 5 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 9e84fa07a23..e470f533e1f 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
+#	$Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,13 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
+# allow everything.  Use with care, if a cracker can crash your
+# firewall machine, they can get to your protected machines.  However,
+# if you are using it as an as-needed filter for specific problems as
+# they arise, then this may be for you.  Changing the default to 'allow'
+# means that you won't get stuck if the kernel and /sbin/ipfw binary get
+# out of sync.
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
@@ -379,6 +386,7 @@ options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
 options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
+options		IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
 options		IPDIVERT		#divert sockets
 options		TCPDEBUG
 
diff --git a/sys/conf/options b/sys/conf/options
index 1857efd7e1b..083391e24ba 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -1,4 +1,4 @@
-#	$Id: options,v 1.31 1997/06/04 16:44:22 pst Exp $
+#	$Id: options,v 1.32 1997/08/19 17:05:23 peter Exp $
 
 # Format:
 # Option name	filename
@@ -98,5 +98,6 @@ MROUTING		opt_mrouting.h
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
+IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 PPP_BSDCOMP		opt_ppp.h
 PPP_DEFLATE		opt_ppp.h
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT
index 9e84fa07a23..e470f533e1f 100644
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
+#	$Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,13 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
+# allow everything.  Use with care, if a cracker can crash your
+# firewall machine, they can get to your protected machines.  However,
+# if you are using it as an as-needed filter for specific problems as
+# they arise, then this may be for you.  Changing the default to 'allow'
+# means that you won't get stuck if the kernel and /sbin/ipfw binary get
+# out of sync.
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
@@ -379,6 +386,7 @@ options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
 options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
+options		IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
 options		IPDIVERT		#divert sockets
 options		TCPDEBUG
 
diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 9e84fa07a23..e470f533e1f 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
+#	$Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,13 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
+# allow everything.  Use with care, if a cracker can crash your
+# firewall machine, they can get to your protected machines.  However,
+# if you are using it as an as-needed filter for specific problems as
+# they arise, then this may be for you.  Changing the default to 'allow'
+# means that you won't get stuck if the kernel and /sbin/ipfw binary get
+# out of sync.
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
@@ -379,6 +386,7 @@ options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
 options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
+options		IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
 options		IPDIVERT		#divert sockets
 options		TCPDEBUG
 
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 22d2200ccf1..6f76bde834d 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.61 1997/08/06 00:19:05 alex Exp $
+ *	$Id: ip_fw.c,v 1.62 1997/08/23 14:28:22 alex Exp $
  */
 
 /*
@@ -936,18 +936,23 @@ ip_fw_ctl(int stage, struct mbuf **mm)
 void
 ip_fw_init(void)
 {
-	struct ip_fw deny;
+	struct ip_fw default_rule;
 
 	ip_fw_chk_ptr = ip_fw_chk;
 	ip_fw_ctl_ptr = ip_fw_ctl;
 	LIST_INIT(&ip_fw_chain);
 
-	bzero(&deny, sizeof deny);
-	deny.fw_prot = IPPROTO_IP;
-	deny.fw_number = (u_short)-1;
-	deny.fw_flg |= IP_FW_F_DENY;
-	deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
-	if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
+	bzero(&default_rule, sizeof default_rule);
+	default_rule.fw_prot = IPPROTO_IP;
+	default_rule.fw_number = (u_short)-1;
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+	default_rule.fw_flg |= IP_FW_F_ACCEPT;
+#else
+	default_rule.fw_flg |= IP_FW_F_DENY;
+#endif
+	default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
+	if (check_ipfw_struct(&default_rule) == NULL ||
+	    add_entry(&ip_fw_chain, &default_rule))
 		panic(__FUNCTION__);
 
 	printf("IP packet filtering initialized, "
@@ -956,6 +961,9 @@ ip_fw_init(void)
 #else
 		"divert disabled, ");
 #endif
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+	printf("default to accept, ");
+#endif
 #ifndef IPFIREWALL_VERBOSE
 	printf("logging disabled\n");
 #else