From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 20:19:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F7516A4DD; Sun, 16 Jul 2006 20:19:35 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id B058743D45; Sun, 16 Jul 2006 20:19:34 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A1309900097CE9; Sun, 16 Jul 2006 22:19:33 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GKJVC6002258; Sun, 16 Jul 2006 23:19:31 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA9ECA.6090607@suutari.iki.fi> Date: Sun, 16 Jul 2006 23:17:14 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx> In-Reply-To: <20060716191732.GD3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 20:19:35 -0000 Hi, Daniel Hartmeier wrote: > You claimed there was a hole. If you can't explain what it consists of > ("thing X might get exposed prior to rc.d/pf due to the following > sequence of events..."), On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that pf is run after netif so if one is using only pf as firewall, there is a window between run of "netif" and "pf" where network interfaces are up but there is no firewall loaded. Adding pf_boot, which runs before "netif" would fix this, woudn't it ? Please correct me if I'm wrong here (that would be nice since then there wouldn't be any problem at all). > blindly sticking in pf_boot at some convenient > place in the boot order is not guaranteed to solve more than it can > break. I don't think I have been talking about blindly sticking pf_boot into boot order. I would only like to be sure that there *is* no hole. I have been suggesting about using pf_boot because it seeems to be the approach used in other bsds (well, I must admit that I didn't check how OpenBSD does it, but I know that there is somekind of boot-time ruleset there). I assumed that since the pf_boot solution is there possible problems with it had been ironed out on other bsds. Even Windows XP has boot-time firewall protection today - we don't want to be worse than them, do we :-) Ari S.