Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Sep 2012 00:39:57 +0300
From:      Kimmo Paasiala <kpaasial@gmail.com>
To:        Damien Fleuriot <ml@my.gd>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file
Message-ID:  <CA%2B7WWSdf3Yo-jeYwd1OtnmNHfCDzvJ2MRKfZzY8H6B_rgoN2aw@mail.gmail.com>
In-Reply-To: <A12FE8E6-673D-47AE-A541-7892BFE2AAFB@my.gd>
References:  <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com> <A12FE8E6-673D-47AE-A541-7892BFE2AAFB@my.gd>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot <ml@my.gd> wrote:
>
> On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 <olivier@cochard.me>=
 wrote:
>
>> Hi,
>> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new
>> option to the kernel configuration file:
>> options PF_DEFAULT_TO_DROP
>>
>> Without this option, with an empty pf.conf: All traffic are permit.
>> With this option enabled, with an empty pf.conf: All traffic are
>> dropped by default.
>>
>> If the attached file is removed, you can found the patch here:
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622
>>
>> Regards,
>>
>> Olivier
>> <freebsd.pf_drop.patch>
>
>
> Is there any point to this ?
>
> I mean, PF has to be enabled manually anyway, so it's not like it adds an=
y kind of default security.
> Worse, it could lock careless people out.
>
>
> People able to use this (read: who can rebuild a kernel) likely are intel=
ligent enough to cobble up a default block rule for their pf.conf._________=
______________________________________

If you must do this then please consider adding a /boot/loader.conf
setting instead of kernel configuration option. The option could be
read only on running system or dependent on securelevel(7).

-Kimmo



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B7WWSdf3Yo-jeYwd1OtnmNHfCDzvJ2MRKfZzY8H6B_rgoN2aw>