Date: Fri, 14 Sep 2012 18:51:53 +0200 From: Damien Fleuriot <ml@my.gd> To: =?utf-8?Q?Olivier_Cochard-Labb=C3=A9?= <olivier@cochard.me> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <A12FE8E6-673D-47AE-A541-7892BFE2AAFB@my.gd> In-Reply-To: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com> References: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 <olivier@cochard.me> wr= ote: > Hi, > here is a little patch (tested on FreeBSD 9.1-RC1) that add a new > option to the kernel configuration file: > options PF_DEFAULT_TO_DROP >=20 > Without this option, with an empty pf.conf: All traffic are permit. > With this option enabled, with an empty pf.conf: All traffic are > dropped by default. >=20 > If the attached file is removed, you can found the patch here: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >=20 > Regards, >=20 > Olivier > <freebsd.pf_drop.patch> Is there any point to this ? I mean, PF has to be enabled manually anyway, so it's not like it adds any k= ind of default security. Worse, it could lock careless people out. People able to use this (read: who can rebuild a kernel) likely are intellig= ent enough to cobble up a default block rule for their pf.conf.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A12FE8E6-673D-47AE-A541-7892BFE2AAFB>