From owner-freebsd-pf@FreeBSD.ORG Mon Jul 17 18:18:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F04E16A4DF for ; Mon, 17 Jul 2006 18:18:32 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A7CF43D58 for ; Mon, 17 Jul 2006 18:18:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so1500662pyb for ; Mon, 17 Jul 2006 11:18:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tM6sMnJ7bzBAu0DHy2QifG5nqnonXaP7HO/NzFTf/KHwhFyjoO2WJ62Yq7z5unc7QXF0zGuzL3fbruLbSu2dBCuvafAgJAebxjahtl6GbJ0OHqhaO2ioMaRaQ4Bntw6qJ2jUFyrKcKtxPJt/EddDYLVXWnHnydPAyl6xZQTiuxg= Received: by 10.35.62.19 with SMTP id p19mr4369200pyk; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Message-ID: Date: Mon, 17 Jul 2006 13:18:26 -0500 From: "Travis H." To: "Simon L. Nielsen" In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:18:32 -0000 On 7/17/06, Simon L. Nielsen wrote: > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Since you mention it, this would have been useful to me too. My dynamic firewall daemon manages the ruleset (see homepage), and not all rules are sent to pf at once, and the active rules persist across reboots. In my case, I made a simple error in the script, it flushed the rules (I think...), failed to load a ruleset, but in any case I ended up with an invalid ruleset at boot time, and consequently a completely open firewall. Subsequent to this, I made sure it wouldn't happen again in various ways, but since I didn't have adequate reporting I didn't know it was wide open until several days later. It may be that I hung myself, but I'm pretty good with firewalls and if it can happen to me it can happen to others. OTOH, if it had had default block, I would have known immediately. Fortunately I didn't seem to suffer any ill effects; the obsd firewall runs minimal services. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484