From owner-freebsd-security@FreeBSD.ORG  Mon Jul 17 02:37:13 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E1A6E16A4DA;
	Mon, 17 Jul 2006 02:37:13 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2507143D45;
	Mon, 17 Jul 2006 02:37:12 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6H2b1Xu023117
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Mon, 17 Jul 2006 04:37:01 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6H2b1Or010073;
	Mon, 17 Jul 2006 04:37:01 +0200 (MEST)
Date: Mon, 17 Jul 2006 04:37:00 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Message-ID: <20060717023700.GF3240@insomnia.benzedrine.cx>
References: <44B7715E.8050906@suutari.iki.fi>
	<20060714154729.GA8616@psconsult.nl>
	<44B7D8B8.3090403@suutari.iki.fi>
	<20060716182315.GC3240@insomnia.benzedrine.cx>
	<86y7utgt0o.fsf@xps.des.no>
	<20060716214456.GE3240@insomnia.benzedrine.cx>
	<20060716223601.GA5039@gothmog.pc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060716223601.GA5039@gothmog.pc>
User-Agent: Mutt/1.5.10i
Cc: Dag-Erling Sm?rgrav <des@des.no>, freebsd-pf@freebsd.org,
	Ari Suutari <ari@suutari.iki.fi>, freebsd-security@freebsd.org
Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot,
	/etc/pf.boot.conf from NetBSD ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2006 02:37:14 -0000

On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote:

> I haven't verified that this is the _only_ change needed to make PF
> block everything by default, but having it as a compile-time option
> which defaults to block everything would be nice, right?

Sure, when FreeBSD's default becomes to compile pf into the kernel or load
it by BTX, that makes sense. Otherwise it doesn't.

This is not about a style pet-peeve that some people have. There is no
common case where users forget to add a default block rule when they
intend to have one. Real production rulesets contain not just one but
several explicit block rules (generating replies for only certain
blocks, logging only certain blocks, etc.).

The only technical reason for this is in a specific case like DES
brought up. If you load pf as module and enable it half way through the
rc.d startup sequence, there's no need for it that I can see. It doesn't
plug the boot-time hole, if there is one.

Daniel