From owner-freebsd-pf@FreeBSD.ORG Thu Sep 13 21:27:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40EF61065670 for ; Thu, 13 Sep 2012 21:27:17 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id C5DD98FC0A for ; Thu, 13 Sep 2012 21:27:16 +0000 (UTC) Received: by wibhi8 with SMTP id hi8so5769383wib.13 for ; Thu, 13 Sep 2012 14:27:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; bh=46SEin0uRivVBHKaw4ofseA0FCGIZRNcGQLMs8mm01E=; b=T0cPVD4fLKlY4QEVJQ2diYS524Ygy7KLdup+jhma7sggYt95q8FNrNIjBBdfH0r2qO hMhZXmw+lqyiPLVO7zVg4PTmjnvz87zRWoPEGmBIykLn925jwjHijSUJhtvEQtBOiCIv wsh+U0lmW7PlsOryf3staB4uMvPcP7/uQ0u4aD6y9jP5190cUlIJ4QXPc3XnJ1ZLiOU2 CWgW9pTe+cZ/RczI5Lhr/jAihSrAuQmjOvR0bN/0znl+KmRsft/cVNMNhXBRV1HPhZJJ EgWumeJHKfpryNzxGHP8PDoIdYIrwI7cGizywcuGyRp4RoA6SpRkJwwtc663rFdQdetJ NnRg== Received: by 10.216.136.66 with SMTP id v44mr247108wei.159.1347571629989; Thu, 13 Sep 2012 14:27:09 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.223.71.201 with HTTP; Thu, 13 Sep 2012 14:26:48 -0700 (PDT) From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Thu, 13 Sep 2012 23:26:48 +0200 X-Google-Sender-Auth: JmVGC_Nm04F5A8h92htpkd4CEWg Message-ID: To: freebsd-pf@freebsd.org Content-Type: multipart/mixed; boundary=0016e6de0425509dda04c99bf8ba Subject: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 21:27:17 -0000 --0016e6de0425509dda04c99bf8ba Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file: options PF_DEFAULT_TO_DROP Without this option, with an empty pf.conf:=A0All traffic are permit. With this option enabled, with an empty pf.conf: All traffic are dropped by default. If the attached file is removed, you can found the patch here: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 Regards, Olivier --0016e6de0425509dda04c99bf8ba Content-Type: application/octet-stream; name="freebsd.pf_drop.patch" Content-Disposition: attachment; filename="freebsd.pf_drop.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h72ahf8k0 LS0tIHN5cy9jb250cmliL3BmL25ldC9wZl9pb2N0bC5jLm9yaWcJMjAxMi0wOS0wNiAxNTo0Nzo0 Ny4wMDAwMDAwMDAgKzAyMDAKKysrIHN5cy9jb250cmliL3BmL25ldC9wZl9pb2N0bC5jCTIwMTIt MDktMDYgMTU6NTY6MTYuMDAwMDAwMDAwICswMjAwCkBAIC0zODYsNyArMzg2LDExIEBACiAKIAkv KiBkZWZhdWx0IHJ1bGUgc2hvdWxkIG5ldmVyIGJlIGdhcmJhZ2UgY29sbGVjdGVkICovCiAJVl9w Zl9kZWZhdWx0X3J1bGUuZW50cmllcy50cWVfcHJldiA9ICZWX3BmX2RlZmF1bHRfcnVsZS5lbnRy aWVzLnRxZV9uZXh0OworCSNpZmRlZiBQRl9ERUZBVUxUX1RPX0RST1AKKyAgICBWX3BmX2RlZmF1 bHRfcnVsZS5hY3Rpb24gPSBQRl9EUk9QOworICAgICNlbHNlCiAJVl9wZl9kZWZhdWx0X3J1bGUu YWN0aW9uID0gUEZfUEFTUzsKKwkjZW5kaWYKIAlWX3BmX2RlZmF1bHRfcnVsZS5uciA9IC0xOwog CVZfcGZfZGVmYXVsdF9ydWxlLnJ0YWJsZWlkID0gLTE7CiAKQEAgLTQ3Myw3ICs0NzcsMTEgQEAK IAogCS8qIGRlZmF1bHQgcnVsZSBzaG91bGQgbmV2ZXIgYmUgZ2FyYmFnZSBjb2xsZWN0ZWQgKi8K IAlwZl9kZWZhdWx0X3J1bGUuZW50cmllcy50cWVfcHJldiA9ICZwZl9kZWZhdWx0X3J1bGUuZW50 cmllcy50cWVfbmV4dDsKKwkjaWZkZWYgUEZfREVGQVVMVF9UT19EUk9QCisJcGZfZGVmYXVsdF9y dWxlLmFjdGlvbiA9IFBGX0RST1A7CisJI2Vsc2UKIAlwZl9kZWZhdWx0X3J1bGUuYWN0aW9uID0g UEZfUEFTUzsKKwkjZW5kaWYKIAlwZl9kZWZhdWx0X3J1bGUubnIgPSAtMTsKIAlwZl9kZWZhdWx0 X3J1bGUucnRhYmxlaWQgPSAtMTsKIAotLS0gc3lzL2NvbmYvb3B0aW9ucy5vcmlnCTIwMTItMDkt MDYgMTU6NTk6NDAuMDAwMDAwMDAwICswMjAwCisrKyBzeXMvY29uZi9vcHRpb25zCTIwMTItMDkt MDYgMTY6MDA6NTkuMDAwMDAwMDAwICswMjAwCkBAIC00MjYsNiArNDI2LDcgQEAKIE5FVEFUQUxL CQlvcHRfYXRhbGsuaAogTkZTTE9DS0QKIFBDQkdST1VQCQlvcHRfcGNiZ3JvdXAuaAorUEZfREVG QVVMVF9UT19EUk9QCW9wdF9wZi5oCiBSQURJWF9NUEFUSAkJb3B0X21wYXRoLmgKIFJPVVRFVEFC TEVTCQlvcHRfcm91dGUuaAogU0xJUF9JRkZfT1BUUwkJb3B0X3NsaXAuaAotLS0gc3lzL2NvbmYv Tk9URVMub3JpZwkyMDEyLTA5LTA2IDE2OjU4OjExLjAwMDAwMDAwMCArMDIwMAorKysgc3lzL2Nv bmYvTk9URVMJMjAxMi0wOS0wNiAxNjoxNDo0Ny4wMDAwMDAwMDAgKzAyMDAKQEAgLTkxNiw2ICs5 MTYsOCBAQAogIyBwYWNrZXRzIHdpdGhvdXQgdG91Y2hpbmcgdGhlIFRUTCkuICBUaGlzIGNhbiBi ZSB1c2VmdWwgdG8gaGlkZSBmaXJld2FsbHMKICMgZnJvbSB0cmFjZXJvdXRlIGFuZCBzaW1pbGFy IHRvb2xzLgogIworIyBQRl9ERUZBVUxUX1RPX0RST1AgY2F1c2VzIHRoZSBkZWZhdWx0IHJ1bGUg KGF0IGJvb3QpIHRvIGRlbnkgZXZlcnl0aGluZy4KKyMgCiAjIFRDUERFQlVHIGVuYWJsZXMgY29k ZSB3aGljaCBrZWVwcyB0cmFjZXMgb2YgdGhlIFRDUCBzdGF0ZSBtYWNoaW5lCiAjIGZvciBzb2Nr ZXRzIHdpdGggdGhlIFNPX0RFQlVHIG9wdGlvbiBzZXQsIHdoaWNoIGNhbiB0aGVuIGJlIGV4YW1p bmVkCiAjIHVzaW5nIHRoZSB0cnB0KDgpIHV0aWxpdHkuCkBAIC05MzMsNiArOTM1LDcgQEAKIG9w dGlvbnMgCUlQRklMVEVSX0xPT0tVUAkJI2lwZmlsdGVyIHBvb2xzCiBvcHRpb25zIAlJUEZJTFRF Ul9ERUZBVUxUX0JMT0NLCSNibG9jayBhbGwgcGFja2V0cyBieSBkZWZhdWx0CiBvcHRpb25zIAlJ UFNURUFMVEgJCSNzdXBwb3J0IGZvciBzdGVhbHRoIGZvcndhcmRpbmcKK29wdGlvbnMJCVBGX0RF RkFVTFRfVE9fRFJPUAkJI2Ryb3AgZXZlcnl0aGluZyBieSBkZWZhdWx0CiBvcHRpb25zIAlUQ1BE RUJVRwogCiAjIFRoZSBNQlVGX1NUUkVTU19URVNUIG9wdGlvbiBlbmFibGVzIG9wdGlvbnMgd2hp Y2ggY3JlYXRlCg== --0016e6de0425509dda04c99bf8ba--