From owner-freebsd-pf@FreeBSD.ORG Fri Sep 14 21:39:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 998461065672 for ; Fri, 14 Sep 2012 21:39:58 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 48E848FC08 for ; Fri, 14 Sep 2012 21:39:58 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so7032784vcb.13 for ; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=lDan4aAnm2MFmjy+x2e9w5GOFmi+BFwH21Z9wqt42go=; b=r8wkHtE58her+yS6Hgpozj0uspBdOglmNI0z/DG6ZrDVMMT4EFDaZHucCL9ShYDM3i Jjxd11sXybT4/CjkXr/d65E1xPAm6o5hyB92KYFLo/0MiMcPyxCLBGN/tlf8mHuAmixO J4OL+C/2TPuLIfAfp/ufK/p2ryPv8Nx0/NRzqDJm0vItY87Rha3OaKCWF9q/ld3IHzB9 Sk0atzfXeZnULlRVkqZub20oYFdIlwwnCd7bxkIebysFURjhkSigWI+QtHcAbKHiqRE1 xEjqgmmRfcvIOse9POm+pwsHD29Q78MHq4Gb17yLjIzu866EKpcWqkUdfR8MNN/GU25M /7Zg== MIME-Version: 1.0 Received: by 10.52.38.168 with SMTP id h8mr318674vdk.93.1347658797564; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) Received: by 10.58.230.134 with HTTP; Fri, 14 Sep 2012 14:39:57 -0700 (PDT) In-Reply-To: References: Date: Sat, 15 Sep 2012 00:39:57 +0300 Message-ID: From: Kimmo Paasiala To: Damien Fleuriot Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2012 21:39:58 -0000 On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot wrote: > > On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 = wrote: > >> Hi, >> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new >> option to the kernel configuration file: >> options PF_DEFAULT_TO_DROP >> >> Without this option, with an empty pf.conf: All traffic are permit. >> With this option enabled, with an empty pf.conf: All traffic are >> dropped by default. >> >> If the attached file is removed, you can found the patch here: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >> >> Regards, >> >> Olivier >> > > > Is there any point to this ? > > I mean, PF has to be enabled manually anyway, so it's not like it adds an= y kind of default security. > Worse, it could lock careless people out. > > > People able to use this (read: who can rebuild a kernel) likely are intel= ligent enough to cobble up a default block rule for their pf.conf._________= ______________________________________ If you must do this then please consider adding a /boot/loader.conf setting instead of kernel configuration option. The option could be read only on running system or dependent on securelevel(7). -Kimmo