Date: Mon, 17 Jul 2006 11:13:43 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <200607171113.54110.max@love2party.net> In-Reply-To: <86hd1ghc3i.fsf@tuha.clef.at> References: <44B7715E.8050906@suutari.iki.fi> <20060717023700.GF3240@insomnia.benzedrine.cx> <86hd1ghc3i.fsf@tuha.clef.at>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] [Replying to the latest message available] Okay, now this is getting pretty pointless. It started out pretty promissing with an attempt to really investigate into a problem that might exist with the way we boot up pf. No-one has yet provided evidence that it does exist, though. What Daniel and others have suggested is, that interested parties look at the boot process closely, identify possible windows of vulnarability and propose a *proper* fix in form of reorder of the boot process, an early pf_boot or something else. As more and more people are screaming for rope to hang themself with, I am going to provide it. As we have established, the "fix" is a three line change in pf_ioctl.c and otherwise non-intrusive. You will of course have to rewrite your rulesets if you have a default to block policy, but since you care about security, that's a little price to pay - right? I would love to see somebody[tm] *really* looking into the boot process and come up with a sollution if we do have a problem there. Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of cool-off time, if people then still think it's a good idea then, I'll commit it. Thanks. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3 9ST0ZlzZM2H/4vW0C4V1CX4= =anvo -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607171113.54110.max>