From owner-freebsd-pf@FreeBSD.ORG Fri Jul 14 15:57:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74E6516A619 for ; Fri, 14 Jul 2006 15:57:44 +0000 (UTC) (envelope-from vladgalu@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAC0643D6A for ; Fri, 14 Jul 2006 15:57:39 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by nf-out-0910.google.com with SMTP id n28so168416nfc for ; Fri, 14 Jul 2006 08:57:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FswcJJ3G1yIHlDXTa6Wlr2yKJwxVRnMVab62KKDx/svpIiU5E4JSAkMUMYvkcYdEgX5eE/HPVD29UvFtdqtdGTNdgaVrOu9czrtBDSf1Za0YyjaVerkZiz2YkseEnRlV7sHLbZkTI6unY9pPSPkS+MsY4U+Qx17JzdR5ZgN3Fwg= Received: by 10.49.19.18 with SMTP id w18mr2102841nfi; Fri, 14 Jul 2006 08:57:38 -0700 (PDT) Received: by 10.48.239.9 with HTTP; Fri, 14 Jul 2006 08:57:38 -0700 (PDT) Message-ID: <79722fad0607140857j154002e8r8bc24e24f0867c69@mail.gmail.com> Date: Fri, 14 Jul 2006 18:57:38 +0300 From: "Vlad GALU" To: freebsd-pf@freebsd.org In-Reply-To: <44B7BBDD.8080302@suutari.iki.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <79722fad0607140413i10a2f5d9pfa0cc4b757e928a8@mail.gmail.com> <44B7BBDD.8080302@suutari.iki.fi> Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 15:57:45 -0000 On 7/14/06, Ari Suutari wrote: > Hi, > > Vlad GALU wrote: > > On 7/14/06, Ari Suutari wrote: > >> Hi, > >> > >> Does anyone know if there are any plans to bring > >> pf boot-time protection (ie. /etc/rc.d/pf_boot and > >> related config files) from NetBSD to FreeBSD ? > >> > >> This would close small (but as far as I understand existing) > >> window during boot where firewall is fully open (if using only > >> pf). > >> > > > > See the mac_ifoff(4) manpage. You can disable your interfaces until > > the system is fully booted. > > How well would this work ? I think that idea of pf_boot > is to disable incoming traffic, but allow certain outgoing > traffic like dns. If dns doesn't work during startup (don't > really know about mac_ifoff yet) it will cause problems, for > example sendmail startup might hang for a while. It would disable all traffic until the system is up. That includes outgoing traffic. Basically the problem is that pf, unlike ipf/ipfw, doesn't have a "block everything by default" option, so the firewall is open until the ruleset has been loaded. That can be solved by either adding such an option or by having a "block all" rule inserted early in the booting process, which would be removed upon loading the rules from pf.conf. I think (I didn't check) that this is exactly what the NetBSD script Simon was telling us about does. > > Ari S. > > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.