Date: Sun, 16 Jul 2006 23:56:35 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Daniel Hartmeier'" <daniel@benzedrine.cx>, =?iso-8859-1?Q?'Dag-Erling_Sm=F8rgrav'?= <des@des.no> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: RE: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <000c01c6a92b$167fcd00$0a00a8c0@thebeast> In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm not sure the average user _really_ is worried enough > about that half a second period on boot. But I DO know there > will be people locking themselves out from far-away remote > hosts (on updates, for instance) if this becomes the default. That is pretty much guaranteed. Murphy will always find a way to f*ck up a reboot and simultaneously cause the 2611 on the console port to halt and catch fire. If punters want a default block, IMHO it doesn’t get much easier than using the mac_ifoff(4) kernel option discussed earlier on in the week, they can tweak the pf startup to twiddle the relevant sysctl appropriately at the right moment in time. In order to salve the consciences of those who know naught but tick boxes, and more importantly make them STFU and annoy someone else. Perhaps a codicil to the FreeBSD pf.conf manpage, detailing the mac_ifoff approach as a wholly unsupported solution for 'default block' to satisfy the anally retentive. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000c01c6a92b$167fcd00$0a00a8c0>