From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 16:52:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6565C106566C for ; Fri, 14 Sep 2012 16:52:02 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 330C08FC19 for ; Fri, 14 Sep 2012 16:52:01 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so6440877pbb.13 for ; Fri, 14 Sep 2012 09:52:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=9mm9koa4adnk1JYgvc+y/1rq1Gfu8rcxouUBQi2WVJg=; b=D+xBwudzu9f1ykanEigdNgOxwhEt1rPQAEPGlruZviQk23xoqchmLJM9fFZPErVa0Y ioQ5CbuS9XYZ72+TGh6prZuct/dXRrg/ium6i1ORc96pRl+sP8olBpkOIiCRkMw/pZHq 8FHHpulBw5+YRy5UKLxf1hOF60I3cFMluDH5C81HBj28IiXV5zkFwxgFmuOx3eHyRu4E 464VR3kvbClmwbgB8c97TqyvPZxVIJ2ybwtxqhXwUC3Qh+Cua1vrClYmSmHmZpWneZFI dOexonpHoVgOf8rrVwnahrk2Ivz+ciHYxfKYXJrRecdvLKSp92LFzDXXcT78PDELEmf5 CEJg== Received: by 10.66.77.7 with SMTP id o7mr4861312paw.37.1347641521001; Fri, 14 Sep 2012 09:52:01 -0700 (PDT) Received: from [192.168.205.103] ([113.161.84.228]) by mx.google.com with ESMTPS id it5sm1262604pbc.10.2012.09.14.09.51.57 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 14 Sep 2012 09:52:00 -0700 (PDT) References: In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Message-Id: X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Date: Fri, 14 Sep 2012 18:51:53 +0200 To: =?utf-8?Q?Olivier_Cochard-Labb=C3=A9?= X-Gm-Message-State: ALoCoQmxEit1lmctiFxVIeWkhnYDgHhZhAL13/ADAP2SDox61kEvTWsVGTPW2s21ppouVy768PoN Cc: "freebsd-pf@freebsd.org" Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 16:52:02 -0000 On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 wr= ote: > Hi, > here is a little patch (tested on FreeBSD 9.1-RC1) that add a new > option to the kernel configuration file: > options PF_DEFAULT_TO_DROP >=20 > Without this option, with an empty pf.conf: All traffic are permit. > With this option enabled, with an empty pf.conf: All traffic are > dropped by default. >=20 > If the attached file is removed, you can found the patch here: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >=20 > Regards, >=20 > Olivier > Is there any point to this ? I mean, PF has to be enabled manually anyway, so it's not like it adds any k= ind of default security. Worse, it could lock careless people out. People able to use this (read: who can rebuild a kernel) likely are intellig= ent enough to cobble up a default block rule for their pf.conf.=