Date: Fri, 14 Sep 2012 00:19:25 +0200 From: Andreas Rudisch <cyb.@gmx.net> To: freebsd-pf@freebsd.org, Olivier =?ISO-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me> Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> In-Reply-To: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com> References: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Sep 2012 23:26:48 +0200 Olivier Cochard-Labb=E9 <olivier@cochard.me> wrote: > Hi, > here is a little patch (tested on FreeBSD 9.1-RC1) that add a new > option to the kernel configuration file: > options PF_DEFAULT_TO_DROP >=20 > Without this option, with an empty pf.conf:=A0All traffic are permit. > With this option enabled, with an empty pf.conf: All traffic are > dropped by default. I really do not think that such a patch is needed. A simple 'block all' in pf.conf will do the same, so why add code and recompile the kernel? Also if you are setting up a remote server you probably do not want to _not_ be able to access it. Andreas -- GnuPG key : 0x2A573565 | http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120914001925.aa5e93bb998052eb16ac773b>