From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 00:00:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93BEA16A4DD; Mon, 17 Jul 2006 00:00:41 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4DC043D45; Mon, 17 Jul 2006 00:00:40 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (patr530-a126.otenet.gr [212.205.215.126]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-1) with ESMTP id k6H00Lt9011602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 17 Jul 2006 03:00:25 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k6GNxUN9005583; Mon, 17 Jul 2006 02:59:31 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k6GMa1gV005106; Mon, 17 Jul 2006 01:36:01 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 17 Jul 2006 01:36:01 +0300 From: Giorgos Keramidas To: Daniel Hartmeier Message-ID: <20060716223601.GA5039@gothmog.pc> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.105, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.29, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Dag-Erling Sm?rgrav , freebsd-pf@freebsd.org, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 00:00:41 -0000 On 2006-07-16 23:44, Daniel Hartmeier wrote: >On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote: >>> Hence, a "default block" switch or compile time option _within_ pf is >>> not going to make any difference. >> >> Sure it will, if pf is compiled into the kernel or loaded by the BTX >> loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action = PF_PASS; > + pf_default_rule.action = PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running = 1; If this is the only change needed, then do you think it would be nice to have it as a compile-time option, like IPFW does? Something like this perhaps? options PF_DEFAULT_TO_ACCEPT #allow everything by default I haven't verified that this is the _only_ change needed to make PF block everything by default, but having it as a compile-time option which defaults to block everything would be nice, right?