Date: Sun, 16 Jul 2006 23:44:56 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <20060716214456.GE3240@insomnia.benzedrine.cx> In-Reply-To: <86y7utgt0o.fsf@xps.des.no> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote:
> > Hence, a "default block" switch or compile time option _within_ pf is
> > not going to make any difference.
>
> Sure it will, if pf is compiled into the kernel or loaded by the BTX
> loader.
Ok, in that case I guess you want to enable pf by default, too.
I haven't tried it in this mode, but the default block can be achieved
by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
- pf_default_rule.action = PF_PASS;
+ pf_default_rule.action = PF_DROP;
bzero(&pf_status, sizeof(pf_status));
+ pf_status.running = 1;
That would then block all packets on all interfaces, until a ruleset is
loaded. If anything started through the startup scripts needs unblocked
packets (including the production ruleset loading requiring name
resolution over network), you'd need to first load a simpler temporary
ruleset to pass that, and finally replace it with the production
ruleset.
And, of course, if the boot sequence for any reason doesn't reach that
point, you can only fix stuff with local access... :)
I'm not sure the average user _really_ is worried enough about that
half a second period on boot. But I DO know there will be people locking
themselves out from far-away remote hosts (on updates, for instance) if
this becomes the default.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060716214456.GE3240>