Date: Mon, 17 Jul 2006 04:37:00 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: Dag-Erling Sm?rgrav <des@des.no>, freebsd-pf@freebsd.org, Ari Suutari <ari@suutari.iki.fi>, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <20060717023700.GF3240@insomnia.benzedrine.cx> In-Reply-To: <20060716223601.GA5039@gothmog.pc> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > I haven't verified that this is the _only_ change needed to make PF > block everything by default, but having it as a compile-time option > which defaults to block everything would be nice, right? Sure, when FreeBSD's default becomes to compile pf into the kernel or load it by BTX, that makes sense. Otherwise it doesn't. This is not about a style pet-peeve that some people have. There is no common case where users forget to add a default block rule when they intend to have one. Real production rulesets contain not just one but several explicit block rules (generating replies for only certain blocks, logging only certain blocks, etc.). The only technical reason for this is in a specific case like DES brought up. If you load pf as module and enable it half way through the rc.d startup sequence, there's no need for it that I can see. It doesn't plug the boot-time hole, if there is one. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060717023700.GF3240>