From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 05:40:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20CD11065673 for ; Fri, 14 Sep 2012 05:40:27 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id A566D8FC0C for ; Fri, 14 Sep 2012 05:40:26 +0000 (UTC) Received: by weyx56 with SMTP id x56so2538827wey.13 for ; Thu, 13 Sep 2012 22:40:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=h8YH/YhxTftUItcYVEol2fNDD1OrTYJq64miOvv8NOA=; b=cPcfKLljz4KKJpiZamdafgW86TC0g9hSY517BZkpcJEmoXYSVaGBwO5ccTZ48ZuzvE aQ1Ohv8Z5Xe8OMelLkOW52y7jHQ0/87ZVj12swEPnbBRdISeKpVO3CQ1hx2+nV1e7K0k 3sbHg4L3fKdMkSVma0EPgVpSEnRM9zKbxtmdm7LfmFXE3FFxAABn8Qc/ccr/52wth9rv 6Xs/ILIHlDnwhRqwccOAJC7mmqoNXXkudmA+y3fvzwKJxn+RyKiMvGiXtxWkvFra5r/t VRDikCK5rLdiX5cJjABjL+uu+r0Q94pwwPZ3UTqO2Y5N/9ugWEPvb4mOm5IF0lrDp6yO baJw== Received: by 10.180.102.136 with SMTP id fo8mr3352579wib.19.1347601225867; Thu, 13 Sep 2012 22:40:25 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.223.71.201 with HTTP; Thu, 13 Sep 2012 22:40:05 -0700 (PDT) In-Reply-To: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> References: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Fri, 14 Sep 2012 07:40:05 +0200 X-Google-Sender-Auth: 3XBSytlHgtYx1m-YmVI86w4rSeI Message-ID: To: Andreas Rudisch Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 05:40:27 -0000 On Fri, Sep 14, 2012 at 12:19 AM, Andreas Rudisch wrote: > I really do not think that such a patch is needed. A simple 'block all' > in pf.conf will do the same, so why add code and recompile the kernel? > Hi Andrea, Some pf users have strong security policy, and : 1. If there is an error in the pf.conf (bad syntax, empty file, or other thing), the security policy impose to block all traffic by default. 2. Or during the startup process there is a time laps between the moment when forwarding is enabled, and before finishing to load very big pf.conf, all traffic are permit: They don't want this behavior. But I didn't tested my patch regarding this special case. > Also if you are setting up a remote server you probably do not want to > _not_ be able to access it. > This kind of user prefers to lock their firewall (they have serial console access as backup) and all traffic passing throught than creating security incident. And we allready have this options in the kernel configuration: options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFILTER_DEFAULT_BLOCK #block all packets by default Why not, for homogeneity, adding the same options for PF ? Regards, Olivier