Date: Mon, 17 Jul 2006 21:59:23 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: "Simon L. Nielsen" <simon@nitro.dk> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <44BBDE0B.6050004@suutari.iki.fi> In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Simon L. Nielsen wrote: > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. I did this yesterday, but this thread has gotten quite active so maybe you lost the results. But my findings were same as yours: pf is enabled before routing which means that the hole I was afraid of doesn't exist. > > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Yes, and it might be quite common: some edits ruleset but leaves it unfinished because other, more high-priority jobs arrive (from boss...) and the someone other accidentally reboots your firewall... Default deny (or rc.d/pf_boot) would help here. Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BBDE0B.6050004>