From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 12:21:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97EB516A4DE; Mon, 17 Jul 2006 12:21:43 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5623243D5C; Mon, 17 Jul 2006 12:21:30 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C6E8D2D4921; Mon, 17 Jul 2006 12:21:28 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 8FDAF11444; Mon, 17 Jul 2006 14:21:28 +0200 (CEST) Date: Mon, 17 Jul 2006 14:21:28 +0200 From: "Simon L. Nielsen" To: Daniel Hartmeier Message-ID: <20060717122127.GC1087@zaphod.nitro.dk> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Mon, 17 Jul 2006 12:34:44 +0000 Cc: freebsd-security@freebsd.org, Ari Suutari , freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 12:21:43 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > The "hole" being discussed is the time, during boot, before pf is fully > functional with the production ruleset. For a comparatively long time, > the pf module isn't even loaded yet. The time after module load and > enabling pf with the production ruleset is much smaller. >=20 > So, you first need to check the boot sequence for >=20 > - interfaces being brought up before pf is loaded > - addresses assigned to those interfaces > - daemons starting and listening on those addresses > - route table getting set up > - IP forwarding getting enabled > - etc. Since nobody else seems to have actually done this, I took a look at FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really see a hole. Most importantly pf is enabled before routing. Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens... (I have been looking at a rc.conf know which would only enable routing/forwarding if pf was properly enabled with a configured ruleset, but I haven't gotten around to finishing that.) # rcorder -s nostart /etc/rc.d/* /etc/rc.d/dumpon /etc/rc.d/initrandom /etc/rc.d/geli /etc/rc.d/gbde /etc/rc.d/encswap /etc/rc.d/ccd /etc/rc.d/swap1 /etc/rc.d/mdconfig /etc/rc.d/ramdisk /etc/rc.d/early.sh /etc/rc.d/fsck /etc/rc.d/root /etc/rc.d/mountcritlocal /etc/rc.d/var /etc/rc.d/cleanvar /etc/rc.d/random /etc/rc.d/adjkerntz /etc/rc.d/atm1 /etc/rc.d/hostname /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/kldxref /etc/rc.d/sppp /etc/rc.d/addswap /etc/rc.d/sysctl /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/devd /etc/rc.d/ipsec /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/routing [...] --=20 Simon L. Nielsen --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEu4DHh9pcDSc1mlERAihWAJ9+tEkPYzYys9h1aZ/WsH9+zj/BOQCfeXDb PvhBgOI2Ufu/uFawHrW8spg= =k7Oi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--