From nobody Tue Apr 8 17:01:27 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXC6950y2z5sff6; Tue, 08 Apr 2025 17:01:37 +0000 (UTC) (envelope-from robert.austen@willowglensystems.com) Received: from YT6PR01CU002.outbound.protection.outlook.com (mail-canadacentralazon11022126.outbound.protection.outlook.com [40.107.193.126]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXC6934Bvz48tq; Tue, 08 Apr 2025 17:01:37 +0000 (UTC) (envelope-from robert.austen@willowglensystems.com) Authentication-Results: mx1.freebsd.org; none ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=OXBNCyW4FvBg/oyDvZTpf5tHfAJlX5gTHAShrnLLUFQS8MNEg0cmDuh2rf4OJRvQdRoTXFvSL7RDwBVPjgljKZPCKMRlF8kbltGAIzeiHHfAC9q+oGbv539E80O+8zLzX7eUEq2F6CDyhzAooTUVe/2sdmCWiaApfClmxO0pBwee4ZQ9o0w7Kl2W0ax8HZ35JwbthTiV4jon/7Va4n7vRXZAure3bkbnNXXbknqh/XTykDDgXHplUNCIbU2F8xKvlgA0NC75SNNFXiaRQ3NYicz0H6nTUV0Q7ZQJsL37cAzSc4htvcW8eTEEO2o+S5aRnGXQ9gVYuOf6Q7rCjZJvXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7SXwlLo+rOn/bLupqlAKcDlYYyEtAHtOOosl2GhiDic=; b=y2fdIBBarG7tEfJvetz+iFc2zzcLqw5stk0bVhKxmJ5daQ4LiN1j9ZgsmwIeuMYCgKkp5dU9qd72vCnMbvep8neN7m+GP6ijmUFKSIKZB5Udw3YLZYrE/OXwCiPXX9hn9ngjLcNYSK+pmiOUKg9yb3z6Lb5e1DNPuFvHmSXq+CoQXKva6wYAa8h46Pel7Gcso7sTpaI4ngGeEycRi60HPp5NPUQK/89afpKRbjB1LV78KdifraSz867d2nWwcTzGeuwIo6SMWGqPMIapv7qAoQmXtbONB47kwVyzh+sV2MYQy6/Tl7KlYGAqubz68eVKhTknT4cUBUM3T/+9ep55Og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=willowglensystems.com; dmarc=pass action=none header.from=willowglensystems.com; dkim=pass header.d=willowglensystems.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willowglensystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7SXwlLo+rOn/bLupqlAKcDlYYyEtAHtOOosl2GhiDic=; b=b4ZIT9ZKMe+Tm8n2HCdUWgzojvHwP1LOlwucZ5346krioXBOiLN48ov6uqxk2xIWt/DDT13jDb0I+LxrAp1vfm1t+r/M7FqPfDPvCXpYjKyYYdD+qpvlmg6GMjWSBR7Q2Pd0IzWrkgYSFZ0/vPQBXNqA9+45nY2LvtQRa9d20PI= Received: from QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c08::23a) by YT2PR01MB9046.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:bd::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8606.34; Tue, 8 Apr 2025 17:01:28 +0000 Received: from QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM ([fe80::cd61:75c:8fac:109d]) by QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM ([fe80::cd61:75c:8fac:109d%4]) with mapi id 15.20.8606.033; Tue, 8 Apr 2025 17:01:28 +0000 From: Robert Austen To: Zhenlei Huang CC: "freebsd-current@freebsd.org" , "freebsd-net@freebsd.org" , Kristof Provost Subject: Re: pfil_default_to_drop Thread-Topic: pfil_default_to_drop Thread-Index: AQHbqAfyk4Z18yjsM0yECEK2f5QGrrOYyea/gAAA4zGAADehgIAA+tGK Date: Tue, 8 Apr 2025 17:01:27 +0000 Message-ID: References: <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> In-Reply-To: <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: QB1PPF4C719E46A:EE_|YT2PR01MB9046:EE_ x-ms-office365-filtering-correlation-id: 6adaafb1-2cdd-4a26-95e5-08dd76bf00c4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|13003099007|7053199007|8096899003|38070700018; x-microsoft-antispam-message-info: =?us-ascii?Q?3P6siqLdtG3hcoll6eQK6ANLoIN3/t59SDxduJuwlqe8b6HZNaAGNXkQrRTi?= =?us-ascii?Q?EQ7UUDjOYVvfbQdR+SFI02bFLF54ZbAFiLbSqB3K553cOGd6Dho+033YpZ/r?= =?us-ascii?Q?Hsl0uLCVpxh3SUZk8BUXEEeU9LJuK3ve8s9jZ1XhsK9YHtAZ/Js2+N3OZeM5?= =?us-ascii?Q?AKWHsHgCvHNalIJH7sijiIQJZQ5lY1zXBwBBtbMlludV5avwbzG3KfbAy1or?= =?us-ascii?Q?2wvUkLGvyZQXE67L8QIfAtTgCjl6eybgGqZRU6kqHQAgvJsBPIHeJXRAq0tP?= =?us-ascii?Q?mHujs0NqUe0hygxWzfRYKWLwCOEB9a7hG3TRrC7ZfkEVyCNJfe7Epyko7Imh?= =?us-ascii?Q?7IcDnnBWPr5JT/RMgnpTQi0ug6gsiCXZBaXcqM8yMpuggbpysxbB2rTjMrgL?= =?us-ascii?Q?ig4+75QRrlPG4qoIQ1ybA7xBWa7wTYuRlHGTBkOh2I01ogbupB81cneQaziz?= =?us-ascii?Q?DNQYsyUYSyBMybUf4T9emUp0nGalLOtRr/E+6TLQXxj+14Xexg6CYsi2GCWs?= =?us-ascii?Q?ft3erlpfw93W1TnEuLQRZ/fY/5pej2hlCr59v49HDlISoZuv/GZxqBU8AwB6?= =?us-ascii?Q?uOc+69NWk7r2gN9tW2/2G8s/02lo+wu9DkGKcLUHZE+S98l0aJQp17yHu70D?= =?us-ascii?Q?a8CBqAsgd18c7eSd34x1Yms04yMuCjRlVrU4Ba6f5/JV+nFZgPhgZR1n+S5X?= =?us-ascii?Q?mncvbhIk5mhp/dY5p7kLPv99MsS6WNdy1T6QR3EcHS8eijLKqHfvYlCRV+YM?= =?us-ascii?Q?sgGnUw7ABgGCthT4o06o7fgxaiB4skZJ0VMfbEjH3CpoSnkcIzi14ks+hO3i?= =?us-ascii?Q?Tpjsa1VQBkIkRj0aDTXySID+0OkgBQeMNRhPeXPyLWUFVOYhyBBkLGiu8cnO?= =?us-ascii?Q?5Af7GT9pZW9faep43qLG/PBJP/r/FC+EnomqeuPF/LZZ1Ih6oQQ8tghObmJm?= =?us-ascii?Q?g7WcMYHAHMQgG1rEexDf1aWY4GDCA8jZ0KZIaUudVsngj4cow9s7xCrZql2Y?= =?us-ascii?Q?HjwZXUEEPo/n0e/LMmg0q2rZIoWLd3MyEINWlTU+5BqPjuSCcGPSKH543EbE?= =?us-ascii?Q?ha/Ncu+KUYs7hZPJR7rxzrGWLVECPFo1hNlrFaiihovrteGVFcw/2fGTnIZp?= =?us-ascii?Q?pD3W32hDfzhtBsDAT9aNOVZ5YyFMRVt5GXgG2rvEDZyNsvBmJPHAjXPaZo/L?= =?us-ascii?Q?Z3+TR0YeGY52dA3YxOtY+taLZs35u9CQPpNgtO6nzCub7sS2MAZ3ObaOzw+r?= =?us-ascii?Q?MExK6PsvOyB9GB1EvpuoPrZYbk0yqNn4qYgnwvvmtg4rMnKdMC30mYJpavaV?= =?us-ascii?Q?Ce1dTqAv/yOHtny9BgttN6WmBFnhIp+MDboAX6Dw+R2g4FC3uJ3K5CS08r9k?= =?us-ascii?Q?k9V1Gb0LUFUWLVyhu6AWV7BDmUk//xX+qNy9+s1XG+6/OgZVcpdu/hLFybZ+?= =?us-ascii?Q?qiQ96BMQVUtV3y7+lONFcbjF1wm979ik39kJn98Ftv/kDd9po8rSxvpt59d3?= =?us-ascii?Q?e/8nqL8ThzVzHjk=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(13003099007)(7053199007)(8096899003)(38070700018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?FYuVT5wPcim6tDy0MyIDzAFiGMfRAbW4qEgGMkDjfb8fXq5YsgEZs0TAn9Mk?= =?us-ascii?Q?ChzdUnGVmnj+OdNaSRgIGKL1SToCFpQ/vMhU5r2Xk9zve7v1+33Ek6skM68W?= =?us-ascii?Q?j0epvKNGu3/ggrQT4uP1cymAjlI97ZhoHM3K7PBnUh8B57xMh73SN+gZY6Bd?= =?us-ascii?Q?havBC4PPxrmsYgRRaSf2w8N08YjwovsmlQlSQypv3CCO3IQ6Uw0ry6Xx1UiN?= =?us-ascii?Q?6fKfKWzjNSEztgHBNbAO3o4ijNyQD9wF8Cu+SrI9y5pHHtEgBS9KDIFXnHbz?= =?us-ascii?Q?ET0R68z+7yPqwOTivtw/Iq4T50SaeurXSFSCl2ev3az5LQf5gA98LVOQ9D2M?= =?us-ascii?Q?iCd9vomGScdTi13P8WhIqc9oraw8aT/fWnH9D18iNsPm0YzoKzf6ZRiKtfdH?= =?us-ascii?Q?h7F98ySCOtFZhYVfs1MH0/S29NbgbgOCYqqqzKttjJZe0VKSRBSBwNnxW9Wj?= =?us-ascii?Q?fwhc8trKiNBS2B+nOeKuZakb/r7GHlgoUVvuHlgZ/xSr6c2hBG0mahpuS8cy?= =?us-ascii?Q?H/xqXOeQquGQ20w0QqKxr3TYShfMgAWvjz/cfW4HHg0lf0mbpnnlEgYTIKvO?= =?us-ascii?Q?OGvL1esjt8xKOymB82ft5eWj/5TYGBc866Sxm7i0oISRdA6gQPI3ern4URwf?= =?us-ascii?Q?bBexn0LRo0Y9D4k+kYCcw7gjfGbtv3Icg+kNmCYNuxSM5NdzKXKuvLnnMEGL?= =?us-ascii?Q?+EfmsMum2b6BA4XAFs+gDbMXUHq7xjoxSyZzZ6GGLXpnpl2rI3EAQV0e0Lkn?= =?us-ascii?Q?jMpAqymCJk6XomoR9TPzfEZn5rxnrQFKpP6L7cJudzce/ot/jz1X5s4/1zCB?= =?us-ascii?Q?ivo9TpIkQuwVm8qm48Xx1RKHYPUQdTgTdaiAFWJEyfCR63PrVU/jtwbg0SPi?= =?us-ascii?Q?z8dskM8zzmZIRd4UUs8f6QEOLR+R4F1llXv7rG8ffkolXzZtLCsGhm3lmtmQ?= =?us-ascii?Q?4aVC5lAMhbXbSsAzTtkbrsp0v9CQv9H+pDCGcQiL0YkTDqMT2Q42R0L2JRXo?= =?us-ascii?Q?fBtrB8Et8XfvJgdNxN7rD6WIIE1Q10cURN3F339FPLpncrOcvUmkTlK0ds99?= =?us-ascii?Q?IXjgLmxzdHxnENQ3hQ7GM9Y6CoC6qEG8+zjdmVVXE+dhCpzMQY6q9xAMHzZa?= =?us-ascii?Q?lixEfVVfPIo7t/j2PklqVq6291FNiHK+OsvfP38/5fnOto57SlST5kKPakaV?= =?us-ascii?Q?J5HNHlefWFsqYSERij3u17WinJztuZ6pf6ttWHV3Cj7h+GvnusLhlQ1YQdTK?= =?us-ascii?Q?hBNyMeCcUOwbDXPOyRgg6/xIKZqqFi1Qs8OCLn5166/Akf0ggXKTTIIMFbhG?= =?us-ascii?Q?iRsJtv4YYzNsuZlXawxLJM8JErielWN/YrRcjqnKybwIvjU4LzNApKGxXXxA?= =?us-ascii?Q?oJ+dwe4QxBid7V8zbV96781ivV7nMR8KjHALUOmTSEzq6QHFCSTwOtcF3H8R?= =?us-ascii?Q?O05yKuOfVTq7QEhzDZFMc+JLMhFCRfnhMQ93cQrFUagqKDTzK56gsJ/cPaaT?= =?us-ascii?Q?f+H2JM/f5w+S9ixo+0yWrAz6ot8B7GaPkcoII2662imrKD9YKXjtHDEYng5n?= =?us-ascii?Q?FSU6SOr+LElDC4n81vdzz64G9jS9ENhqzy7l6sCIe5S4ZyYMNV/7U/pwqzA1?= =?us-ascii?Q?FS1WTwrTks1hxCNwTt0CsIw=3D?= Content-Type: multipart/alternative; boundary="_000_QB1PPF4C719E46A03770B2C7622042A91B6EFB52QB1PPF4C719E46A_" List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 X-OriginatorOrg: willowglensystems.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 6adaafb1-2cdd-4a26-95e5-08dd76bf00c4 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2025 17:01:27.9911 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c7bca0fa-9d0c-460d-8770-da688c84194e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Xa7I/n4xGLHdN6+mBOhCwkwYMhqE8gthPOP8/juKmIUfucb+he//LmfHzwJAxVQ+rhu4rgyT8+/YsQDhOO17hKxrAzUBIB3kvXzgQOxNy0nG4t4xsLKOLB/LYMo/bp8H X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT2PR01MB9046 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US] X-Rspamd-Queue-Id: 4ZXC6934Bvz48tq X-Spamd-Bar: ---- --_000_QB1PPF4C719E46A03770B2C7622042A91B6EFB52QB1PPF4C719E46A_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I respectfully disagree. PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= o enable itself, ie. to apply any hooks. if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= . consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= he pfil layer in the kernel has no idea what the filter will be, assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and l= ikewise the equivalents from the other filters). as I said, this is because there's no mechanism within PFIL to drop by defa= ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= O_DROP, because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= all, so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= can ever provide. thanks! ________________________________ From: Zhenlei Huang Sent: April 7, 2025 7:55 PM To: Robert Austen Cc: freebsd-current@freebsd.org ; freebsd-net@= freebsd.org ; Kristof Provost Subject: Re: pfil_default_to_drop You don't often get email from zlei@freebsd.org. Learn why this is importan= t On Apr 8, 2025, at 6:36 AM, Robert Austen > wrote: ________________________________ From: Robert Austen > Sent: April 7, 2025 4:33 PM To: freebsd-current@freebsd.org >; freebsd-net@fre= ebsd.org > Subject: Fw: pfil_default_to_drop ________________________________ From: Robert Austen Sent: April 7, 2025 4:21 PM To: freebsd-current@freebsd.org > Subject: pfil_default_to_drop Hello, I've been playing with FreeBSD and PF to build myself a new firewall, as Op= en/FreeBSD + PF seems to be a common starting point. I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= nd the like, with the observations that it's hard to ensure that packets all default to drop if the rule file(s) for whatever= reason fail to load. Hi Robert, So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.k= o ( via the loader(8), /boot/loader.conf ) ? With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), y= ou can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.= ko. See also https://cgit.freebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9= 913226801f3073bd . After looking thru the online documentation, forums and scripts, I came to = the conclusion that it's not a PF problem or IPFW etc or really a problem with any of the filters or scripts, the problem is at t= he level of PFIL, the kernel packet filtering code: If no filter is loaded, i.e. if the heads are unhooked, then PFIL sends everythin= g thru to its destination. So my thought was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= DEFAULT_TO_DROP) that drops all the IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= sen filter (PF or whatever) at any given time the hooks are unhooked. If no firewalls loaded, then the system should behave as is. I do not think= PFIL_DEFAULT_TO_DROP is the right way to handle your case. [No one filters on local loopback nor the link layer, so I've left those ho= oks untouched. I suppose one could add them, maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = there's much demand for it.] Normally I'm an embedded linux kernel basher. I'm not entirely sure where to send this patch. Most of the threads asking = the above PF questions are closed to changes, so that doesn't seem a good place. Sir Dice seems to be a common answerer o= f questions; I would have sent it to him/her if I could... I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch= "... I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= der. The code was written against FreeBSD-14.1-RELEASE-amd64, but I suspect the kernel code in the networking core doesn't change much fr= om platform to platform, or version to version. But it works, it's pretty simple, pretty small and so just in case it might= be useful, I'm passing it along. thanks! Robert --_000_QB1PPF4C719E46A03770B2C7622042A91B6EFB52QB1PPF4C719E46A_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
I respectfully disagree.

PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= o enable itself, ie. to apply any hooks.
if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= .

consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= he pfil layer in the kernel has no idea what the filter will be,
assuming there even is one. thus PF_DEFAULT_TO_DROP  has zero effect (= and likewise the equivalents from the other filters).

as I said, this is because there's no mechanism within PFIL to drop by defa= ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= O_DROP,
because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= all,
so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= can ever provide.

thanks!
From: Zhenlei Huang <zle= i@FreeBSD.org>
Sent: April 7, 2025 7:55 PM
To: Robert Austen <robert.austen@willowglensystems.com>
Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>;= freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost &= lt;kp@FreeBSD.org>
Subject: Re: pfil_default_to_drop
 
You don't often get email from zlei@freebsd.org. Learn why this is important


On Apr 8, 2025, at 6:36 AM, Robert Austen <robert.austen@willowgl= ensystems.com> wrote:




<= b class=3D"">From: Robert Austen
Sent: April 7, 2025 4:21 PM
To: freebsd-current@freebsd.org <freebsd-current@freebsd.org>
Subject: pfil_default_to_drop
 
Hello,
I've been playing with FreeBSD and PF to build myself a new firewall, as Op= en/FreeBSD + PF seems to be a common starting point.

I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= nd the like, with the observations that it's hard
to ensure that packets all default to drop if the rule file(s) for whatever= reason fail to load. 

Hi Robert,

So why not defining the compile option PF_DEFAULT_TO_DROP, and pr= eload pf.ko ( via the load= er(8), /boot/loader= .conf ) ?

With 13.5, or upcoming 14.3 ( you c= an also experiment latest stable/14 ), you can turn the loader tunable&= nbsp;net.pf.default_to_drop to 1, and preload pf.ko.


After looking thru the online documentation, forums and scripts, I came to = the conclusion that it's not a PF problem or IPFW etc
or really a problem with any of the filters or scripts, the problem is at t= he level of PFIL, the kernel packet filtering code: If no
filter is loaded, i.e. if the heads are unhooked, then PFIL sends everything&nbs= p;thru to its destination. So my thought 
was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= DEFAULT_TO_DROP) that drops all the
IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= sen filter (PF or whatever) at any given time the 
hooks are  unhooked. 

If no firewalls loaded, then the system should behave as is. I do not = think PFIL_DEFAULT_TO_DROP is the right way to handle your case.


[No one filters on local loopback nor the link layer, so I've left those ho= oks untouched. I suppose one could add them,
maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = there's much demand for it.]

Normally I'm an embedded linux kernel basher.
I'm not entirely sure where to send this patch. Most of the threads asking = the above PF questions are closed to changes,
so that doesn't seem a good place. Sir Dice seems to be a common answerer o= f questions; I would have sent it to him/her 
if I could...

I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted = patch"...
I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= der. The code was written against FreeBSD-14.1-RELEASE-amd64,
but I suspect the kernel code in the networking core doesn't change much fr= om platform to platform, or version to version.

But it works, it's pretty simple, pretty small and so just in case it might= be useful, I'm passing it along.

thanks!


Robert




<FreeBSD-14.1-RE= LEASE-amd64-pfil_default_to_drop.patch.zip>



--_000_QB1PPF4C719E46A03770B2C7622042A91B6EFB52QB1PPF4C719E46A_--