Date: Wed, 12 Jul 2023 22:08:02 +0200 From: Kristof Provost <kp@FreeBSD.org> To: void <void@f-m.fm> Cc: freebsd-hackers@freebsd.org Subject: Re: dis/advantages of compiling in-kernel over kldload Message-ID: <8E73D0C1-11A1-4767-9FE6-8C0DEB494B5A@FreeBSD.org> In-Reply-To: <ZK75GyQCxE1YzEav@int21h> References: <ZK7mnohS12eEYoV2@int21h> <F94E719F-C1BE-48C4-882D-AF42E3350ACB@FreeBSD.org> <ZK75GyQCxE1YzEav@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12 Jul 2023, at 21:03, void wrote: > Hello Kristof, > > On Wed, Jul 12, 2023 at 08:38:35PM +0200, Kristof Provost wrote: > >> I strongly recommend that people stick with the GENERIC config, and id= eally just use the builds the project releases. > > I disagree. I think people need to look carefully at their own contexts= =2E > What you're suggesting removes a configurable layer of the > security onion. It's not like we have OpenBSD's KARL. I find it hard to= > see how using identical configs across systems benefits anyone apart fr= om > either an attacker, or tech support. I=E2=80=99m not suggesting that you=E2=80=99re not allowed to deviate fro= m the default kernel config. I=E2=80=99m saying that it=E2=80=99s risky, = and that I=E2=80=99m going to be less interested in the bugs you run into= =2E >> For example, PF_DEFAULT_TO_DROP is know to be broken in at least some = scenarios: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237477 > > Would you not agree though, that if one didn't try, then no progress co= uld be made? > Sure, if you=E2=80=99re interested in finding bugs that=E2=80=99s one thi= ng you can do. You=E2=80=99re also likely to be allowed to fix them yours= elf. > What I'd like to acheive is the following: > > If pf fails to load its ruleset, allow ssh from only this safe IP range= and block everything else. > Look at pf_fallback_rules in /etc/defaults/rc.conf Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8E73D0C1-11A1-4767-9FE6-8C0DEB494B5A>