From owner-freebsd-security@FreeBSD.ORG  Sun Jul 16 20:54:11 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BBA0816A4DD;
	Sun, 16 Jul 2006 20:54:11 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (noop.in-addr.com [208.58.23.51])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6BCAB43D58;
	Sun, 16 Jul 2006 20:54:11 +0000 (GMT)
	(envelope-from gpalmer@freebsd.org)
Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD))
	id 1G2Dcw-0007Ew-D9; Sun, 16 Jul 2006 16:54:10 -0400
Date: Sun, 16 Jul 2006 16:54:10 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org
Message-ID: <20060716205410.GB6444@in-addr.com>
Mail-Followup-To: freebsd-security@freebsd.org, freebsd-pf@freebsd.org
References: <44B7715E.8050906@suutari.iki.fi>
	<20060714154729.GA8616@psconsult.nl>
	<44B7D8B8.3090403@suutari.iki.fi>
	<20060716182315.GC3240@insomnia.benzedrine.cx>
	<44BA8A95.10300@suutari.iki.fi>
	<20060716191732.GD3240@insomnia.benzedrine.cx>
	<44BA9ECA.6090607@suutari.iki.fi>
	<20060716202253.GF29207@heff.fud.org.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060716202253.GF29207@heff.fud.org.nz>
Cc: 
Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot,
	/etc/pf.boot.conf from NetBSD ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2006 20:54:11 -0000

On Mon, Jul 17, 2006 at 08:22:53AM +1200, Andrew Thompson wrote:
> But.. pf runs before any userland daemons are loaded so how does it
> matter if there is a short window between netif and pf if nothing is
> listening?

That is one use case for PF, where you are protecting the local system.
What if you are running PF on a multi-homed host? Is 
net.inet.ip.forwarding only ever set to 1 by /etc/rc.d/routing, or 
can that be set by something else before it gets that far?

Gary