From owner-freebsd-pf@FreeBSD.ORG Fri Jul 14 17:11:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6A2D16A4DA for ; Fri, 14 Jul 2006 17:11:22 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id B890D43D53 for ; Fri, 14 Jul 2006 17:11:21 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id 7BD9820001CB for ; Fri, 14 Jul 2006 19:11:20 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17592-05 for ; Fri, 14 Jul 2006 19:11:18 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id D64F620001C9; Fri, 14 Jul 2006 19:11:18 +0200 (CEST) Date: Fri, 14 Jul 2006 19:11:18 +0200 To: freebsd-pf@freebsd.org Message-ID: <20060714171118.GA27379@marvin.harmless.hu> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: <20060714154729.GA8616@psconsult.nl> User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 17:11:23 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 14, 2006 at 05:47:29PM +0200, Paul Schenkeveld wrote: > Hello, >=20 > On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote: > > Hi, > >=20 > > Does anyone know if there are any plans to bring > > pf boot-time protection (ie. /etc/rc.d/pf_boot and > > related config files) from NetBSD to FreeBSD ? > >=20 > > This would close small (but as far as I understand existing) > > window during boot where firewall is fully open (if using only > > pf). >=20 > I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK > instead of some magic script closing the hole between driver init and > configuration. Always wondered how the OpenBSD -securety minded- people > have come up with a packet filter that's open by default. >=20 > Or am I missing the point here? On a linux box i'm running i have a 2-state firewall setup, that is i like it very much. the states looks like this: 1, bootup) this state only allows DNS and ssh communications, and as soon as possible at the bootup up process, the box will apply this ruleset. All the communications are disabled except the above mentioned ones. Even the running services are unreachable in this stage 2, online) The box goes to this state when all the services are running and the bootup process has been completed. in this stage every service can be accessed. Using this two state the services can be protected from the clients while not all of them are started. there are various reasons for this, i mention some: - Services may depend each other, and the startup order may not reflect this - Services that consists of multiple parts cannot be accessed while not all parts are up and running, this clients are unable to connect to the not-yet-fully-started services - the load at the startup can be pretty high, and the connection clients would raise this to even higher. this also can be prevented. - however, all basic (DNS resolving, and ssh for the admin) communication is allowed at the bootup stage I think netbsd also had achived a similar propose, also took some of these ideas, reasons. It would be very nice to have a pf_bootup.conf, which would= be applied as soon as the interfaces are up, but before anything else is start= ed. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEt9A2bBsEN0U7BV0RAgRzAJ9LbyUA7YqTVeBvQYuLMZjIi8eReQCgyIzY URiMLrpZSjG3521r2/+afO0= =cfNG -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--