From owner-freebsd-pf@FreeBSD.ORG Fri Jul 14 15:44:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14FF316A4E1 for ; Fri, 14 Jul 2006 15:44:36 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout4-sn2.hy.skanova.net (pne-smtpout4-sn2.hy.skanova.net [81.228.8.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id A33A543D72 for ; Fri, 14 Jul 2006 15:44:31 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout4-sn2.hy.skanova.net (7.2.075) id 44A2EAB80007B655; Fri, 14 Jul 2006 17:44:30 +0200 Received: from [127.0.0.1] (raisa.suutari.iki.fi [192.168.60.100]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6EFiSiQ047304; Fri, 14 Jul 2006 18:44:28 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44B7BBDD.8080302@suutari.iki.fi> Date: Fri, 14 Jul 2006 18:44:29 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Vlad GALU References: <44B7715E.8050906@suutari.iki.fi> <79722fad0607140413i10a2f5d9pfa0cc4b757e928a8@mail.gmail.com> In-Reply-To: <79722fad0607140413i10a2f5d9pfa0cc4b757e928a8@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 15:44:36 -0000 Hi, Vlad GALU wrote: > On 7/14/06, Ari Suutari wrote: >> Hi, >> >> Does anyone know if there are any plans to bring >> pf boot-time protection (ie. /etc/rc.d/pf_boot and >> related config files) from NetBSD to FreeBSD ? >> >> This would close small (but as far as I understand existing) >> window during boot where firewall is fully open (if using only >> pf). >> > > See the mac_ifoff(4) manpage. You can disable your interfaces until > the system is fully booted. How well would this work ? I think that idea of pf_boot is to disable incoming traffic, but allow certain outgoing traffic like dns. If dns doesn't work during startup (don't really know about mac_ifoff yet) it will cause problems, for example sendmail startup might hang for a while. Ari S.