From owner-freebsd-pf@FreeBSD.ORG  Sun Jul 16 20:22:56 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4D47716A4DA
	for <freebsd-pf@freebsd.org>; Sun, 16 Jul 2006 20:22:56 +0000 (UTC)
	(envelope-from thompsa@freebsd.org)
Received: from grunt7.ihug.co.nz (grunt7.ihug.co.nz [203.109.254.47])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 473BE43D72
	for <freebsd-pf@freebsd.org>; Sun, 16 Jul 2006 20:22:55 +0000 (GMT)
	(envelope-from thompsa@freebsd.org)
Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz)
	[203.109.251.39] 
	by grunt7.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
	id 1G2D8c-00073m-00; Mon, 17 Jul 2006 08:22:51 +1200
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 83C4D1CC22; Mon, 17 Jul 2006 08:22:53 +1200 (NZST)
Date: Mon, 17 Jul 2006 08:22:53 +1200
From: Andrew Thompson <thompsa@freebsd.org>
To: Ari Suutari <ari@suutari.iki.fi>
Message-ID: <20060716202253.GF29207@heff.fud.org.nz>
References: <44B7715E.8050906@suutari.iki.fi>
	<20060714154729.GA8616@psconsult.nl>
	<44B7D8B8.3090403@suutari.iki.fi>
	<20060716182315.GC3240@insomnia.benzedrine.cx>
	<44BA8A95.10300@suutari.iki.fi>
	<20060716191732.GD3240@insomnia.benzedrine.cx>
	<44BA9ECA.6090607@suutari.iki.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44BA9ECA.6090607@suutari.iki.fi>
User-Agent: Mutt/1.5.11
Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot,
	/etc/pf.boot.conf from NetBSD ?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2006 20:22:56 -0000

On Sun, Jul 16, 2006 at 11:17:14PM +0300, Ari Suutari wrote:
> Hi,
> 
> 
> Daniel Hartmeier wrote:
> >You claimed there was a hole. If you can't explain what it consists of
> >("thing X might get exposed prior to rc.d/pf due to the following
> >sequence of events..."),
> 
> 
> 	On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that
> 	pf is run after netif so if one is using only pf as firewall,
> 	there is a window between run of "netif" and "pf" where network
> 	interfaces are up but there is no firewall loaded. Adding
> 	pf_boot, which runs before "netif" would fix this, woudn't it ?

But.. pf runs before any userland daemons are loaded so how does it
matter if there is a short window between netif and pf if nothing is
listening?


Andrew