From owner-freebsd-pf@FreeBSD.ORG Sat Jul 15 14:22:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9BF416A4DA for ; Sat, 15 Jul 2006 14:22:03 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1390343D4C for ; Sat, 15 Jul 2006 14:22:02 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so981950pyc for ; Sat, 15 Jul 2006 07:22:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oAEbuLDiJE/ND/Rcn4qQc6xa1NNk8ALKLSOfqLhU309VQvyoGpwYGk17GxIS/aWv9lwvlpuCOH/QdhQFGoCjqvCGl7MTOjP0qzFAcyBdLnjOejVSJa0gcAurlBBZdJeY+UBbWWWojASFBMm+FkgeQLqAzaazXC1uAo+yVSLQFzs= Received: by 10.35.88.17 with SMTP id q17mr1004052pyl; Sat, 15 Jul 2006 07:22:02 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sat, 15 Jul 2006 07:22:02 -0700 (PDT) Message-ID: Date: Sat, 15 Jul 2006 09:22:02 -0500 From: "Travis H." To: freebsd-pf@freebsd.org In-Reply-To: <20060714154729.GA8616@psconsult.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jul 2006 14:22:03 -0000 On 7/14/06, Paul Schenkeveld wrote: > I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK > instead of some magic script closing the hole between driver init and > configuration. Always wondered how the OpenBSD -securety minded- people > have come up with a packet filter that's open by default. In /etc/rc OpenBSD sets up pfctl before it runs /etc/netstart. The default ruleset is: block all pass on lo0 pass in proto tcp from any to any port 22 keep state pass out proto { tcp, udp } from any to any port 53 keep state pass out inet proto icmp all icmp-type echoreq keep state Then there's some stuff about IPv6 and some stuff for NFS. I'm not sure why they don't use "set skip" or "quick". Still, it'd be nice to have a "default deny" compile option. The question is, where do you check for this thing to be enabled? I suppose you could have both a default-deny compile option and a "block all" at the top of the ruleset (or equivalently a "block quick all" at the end), like wearing a belt and suspenders... wouldn't want installing a new kernel to suddenly open you up, nor would you want to have to remember the default deny rule when playing with different rulesets... -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484