Date: Fri, 14 Jul 2006 20:47:36 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <44B7D8B8.3090403@suutari.iki.fi> In-Reply-To: <20060714154729.GA8616@psconsult.nl> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, [I have added freebsd-security to recipient list as I consider this issue a security risk] Paul Schenkeveld wrote: > Hello, > > On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote: >> Hi, >> >> Does anyone know if there are any plans to bring >> pf boot-time protection (ie. /etc/rc.d/pf_boot and >> related config files) from NetBSD to FreeBSD ? >> >> This would close small (but as far as I understand existing) >> window during boot where firewall is fully open (if using only >> pf). > > I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK > instead of some magic script closing the hole between driver init and > configuration. Always wondered how the OpenBSD -securety minded- people > have come up with a packet filter that's open by default. There has been discussion about this before. I know that perfect solution would be PF_DEFAULT_BLOCK, but while waiting for that I wonder why we cannot have pf_boot, which closes the boot hole (at least when run with proper filter rules). I would suggest: - first port pf_boot which brings us to same level of security as OpenBSD & NetBSD. - then, work with PF authors to get PF_DEFAULT_BLOCK if it still seems necessary. As pf becomes more and more popular on FreeBSD I see current state of system as security risk (ie. I won't use pf + FreeBSD on company firewalls although I would otherwise like to). Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44B7D8B8.3090403>