From owner-freebsd-security@FreeBSD.ORG Sun Jul 16 21:15:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3949C16A4DA for ; Sun, 16 Jul 2006 21:15:37 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30305.mail.mud.yahoo.com (web30305.mail.mud.yahoo.com [68.142.200.98]) by mx1.FreeBSD.org (Postfix) with SMTP id C83BC43D4C for ; Sun, 16 Jul 2006 21:15:36 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 95547 invoked by uid 60001); 16 Jul 2006 21:15:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=VM4ATvRfswlH8NAaIoUcyk3SCQCH1WF+ylb9gU1A/qTwMe1oQGmU/ZdHBprAMJJ+popUpKbRZLTv1qlQBcM1fdFVU1zIGpKJYXdSKQxZJF22ZZZw7udYbOXw4kjd6D9d/RQMOaihYSeRswoAlPELuv9GE9fi5lz6hRKSD1PL7bM= ; Message-ID: <20060716211536.95545.qmail@web30305.mail.mud.yahoo.com> Received: from [213.54.80.218] by web30305.mail.mud.yahoo.com via HTTP; Sun, 16 Jul 2006 14:15:36 PDT Date: Sun, 16 Jul 2006 14:15:36 -0700 (PDT) From: "R. B. Riddick" To: Ari Suutari In-Reply-To: <44BA9ECA.6090607@suutari.iki.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 21:15:37 -0000 --- Ari Suutari wrote: > On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that > pf is run after netif so if one is using only pf as firewall, > there is a window between run of "netif" and "pf" where network > interfaces are up but there is no firewall loaded. Adding > pf_boot, which runs before "netif" would fix this, woudn't it ? > Hi! I would feel better, when the box is either completely unreachable (due to disabled hardware (e. g. down'ed interface)) or at least protected by a packet filter _all_ the time... That is one reason why I use ipfw _and_ pf at the same time on all my boxes... As you can see in appendix A ipfw2 is initialized even before the hard disks but after the network interfaces, which are detected some lines early. Are the NICs still down and _safe_ after that detection phase? Isn't it possible to just activate pf just like ipfw in order to deny all incoming and outgoing traffic (to me it looks like a design flaw, when the boot up scripts rely on a misconfigured/disabled packet filter...)? Bye Arne appendix A: [...] Jul 16 06:58:53 neo kernel: vr0: Ethernet address: 00:0a:e6:XX:XX:XX [...] Jul 16 06:58:53 neo kernel: ipfw2 (+ipv6) initialized, divert loadable, rule-bas ed forwarding disabled, default to deny, logging disabled Jul 16 06:58:53 neo kernel: ad0: 194481MB at ata0-mast er UDMA133 [...] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com