From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 18:18:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F7AE16A4E2 for ; Mon, 17 Jul 2006 18:18:31 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0751843D55 for ; Mon, 17 Jul 2006 18:18:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b36so1500661pyb for ; Mon, 17 Jul 2006 11:18:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tM6sMnJ7bzBAu0DHy2QifG5nqnonXaP7HO/NzFTf/KHwhFyjoO2WJ62Yq7z5unc7QXF0zGuzL3fbruLbSu2dBCuvafAgJAebxjahtl6GbJ0OHqhaO2ioMaRaQ4Bntw6qJ2jUFyrKcKtxPJt/EddDYLVXWnHnydPAyl6xZQTiuxg= Received: by 10.35.62.19 with SMTP id p19mr4369200pyk; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Mon, 17 Jul 2006 11:18:26 -0700 (PDT) Message-ID: Date: Mon, 17 Jul 2006 13:18:26 -0500 From: "Travis H." To: "Simon L. Nielsen" In-Reply-To: <20060717122127.GC1087@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> X-Mailman-Approved-At: Mon, 17 Jul 2006 19:16:55 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 18:18:31 -0000 On 7/17/06, Simon L. Nielsen wrote: > Personally I would still like a default to deny knob, but that's > mainly to handle the case of an invalid ruleset which causes pf to be > left open. Yes, this is only a problem when the admin screws up, but > it happens... Since you mention it, this would have been useful to me too. My dynamic firewall daemon manages the ruleset (see homepage), and not all rules are sent to pf at once, and the active rules persist across reboots. In my case, I made a simple error in the script, it flushed the rules (I think...), failed to load a ruleset, but in any case I ended up with an invalid ruleset at boot time, and consequently a completely open firewall. Subsequent to this, I made sure it wouldn't happen again in various ways, but since I didn't have adequate reporting I didn't know it was wide open until several days later. It may be that I hung myself, but I'm pretty good with firewalls and if it can happen to me it can happen to others. OTOH, if it had had default block, I would have known immediately. Fortunately I didn't seem to suffer any ill effects; the obsd firewall runs minimal services. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484