From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 08:23:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D1A916A4DA; Mon, 17 Jul 2006 08:23:08 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1276443D49; Mon, 17 Jul 2006 08:23:06 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id KAA10122; Mon, 17 Jul 2006 10:23:04 +0200 (METDST) To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx> <20060716223601.GA5039@gothmog.pc> <20060717023700.GF3240@insomnia.benzedrine.cx> From: Harald Muehlboeck Date: Mon, 17 Jul 2006 10:25:37 +0200 In-Reply-To: <20060717023700.GF3240@insomnia.benzedrine.cx> (Daniel Hartmeier's message of "Mon, 17 Jul 2006 04:37:00 +0200") Message-ID: <86hd1ghc3i.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 08:23:08 -0000 Daniel Hartmeier writes: > On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote: > >> I haven't verified that this is the _only_ change needed to make PF >> block everything by default, but having it as a compile-time option >> which defaults to block everything would be nice, right? > > Sure, when FreeBSD's default becomes to compile pf into the kernel or load > it by BTX, that makes sense. Otherwise it doesn't. What do you mean with default? None of the the firewalls available with FreeBSD (ipfw, ipf, pf) is part of the GENERIC Kernel. But many users will compile the firewall of their choise into their CUSTOM kernels. For ipfw and ipf this can be done either with "default to accept" or "default to deny" ploicy by adding the option options IPVFIREWALL_DEFAULT_TO_DENY or options IPFILTER_DEFAULT_BLOCK to the custom kernel configruation file.