From ab6e02da0f7626397f3d3d2793efa93ef6ee9eb1 Mon Sep 17 00:00:00 2001
From: "Jordan K. Hubbard" <jkh@FreeBSD.org>
Date: Tue, 23 Sep 1997 08:42:42 +0000
Subject: [PATCH] Be more explicit about one of IPFIREWALL's features.

---
 sys/conf/NOTES      | 12 +++++++++++-
 sys/i386/conf/LINT  | 12 +++++++++++-
 sys/i386/conf/NOTES | 12 +++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 7b6675e5c3ff..fd8ebde13baa 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.367 1997/09/19 15:25:48 jmg Exp $
+#	$Id: LINT,v 1.368 1997/09/20 07:41:28 dyson Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,15 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+<<<<<<< LINT
+#
+# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
+# and if you do not add other rules during startup to allow access,
+# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall=open
+# in /etc/rc.conf when first enabling this feature, then refining the
+# firewall rules in /etc/rc.firewall after you've tested that the new kernel
+# feature works properly.
+=======
 # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
 # allow everything.  Use with care, if a cracker can crash your
 # firewall machine, they can get to your protected machines.  However,
@@ -375,6 +384,7 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # they arise, then this may be for you.  Changing the default to 'allow'
 # means that you won't get stuck if the kernel and /sbin/ipfw binary get
 # out of sync.
+>>>>>>> 1.364
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT
index 7b6675e5c3ff..fd8ebde13baa 100644
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.367 1997/09/19 15:25:48 jmg Exp $
+#	$Id: LINT,v 1.368 1997/09/20 07:41:28 dyson Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,15 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+<<<<<<< LINT
+#
+# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
+# and if you do not add other rules during startup to allow access,
+# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall=open
+# in /etc/rc.conf when first enabling this feature, then refining the
+# firewall rules in /etc/rc.firewall after you've tested that the new kernel
+# feature works properly.
+=======
 # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
 # allow everything.  Use with care, if a cracker can crash your
 # firewall machine, they can get to your protected machines.  However,
@@ -375,6 +384,7 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # they arise, then this may be for you.  Changing the default to 'allow'
 # means that you won't get stuck if the kernel and /sbin/ipfw binary get
 # out of sync.
+>>>>>>> 1.364
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES
index 7b6675e5c3ff..fd8ebde13baa 100644
--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.367 1997/09/19 15:25:48 jmg Exp $
+#	$Id: LINT,v 1.368 1997/09/20 07:41:28 dyson Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -368,6 +368,15 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
+<<<<<<< LINT
+#
+# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
+# and if you do not add other rules during startup to allow access,
+# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall=open
+# in /etc/rc.conf when first enabling this feature, then refining the
+# firewall rules in /etc/rc.firewall after you've tested that the new kernel
+# feature works properly.
+=======
 # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
 # allow everything.  Use with care, if a cracker can crash your
 # firewall machine, they can get to your protected machines.  However,
@@ -375,6 +384,7 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # they arise, then this may be for you.  Changing the default to 'allow'
 # means that you won't get stuck if the kernel and /sbin/ipfw binary get
 # out of sync.
+>>>>>>> 1.364
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #