Date: Tue, 15 Nov 2022 22:02:50 +0100 From: Juraj Lutter <otis@FreeBSD.org> To: Chris <bsd-lists@bsdforge.com> Cc: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Message-ID: <96B5F854-DD69-478C-BAE0-2E753AA7B8D7@FreeBSD.org> In-Reply-To: <956b5ca1d8632e9a497cec80969096e0@bsdforge.com> References: <Y3P69NuvWOhxdmux@openbsd.local> <956b5ca1d8632e9a497cec80969096e0@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 15 Nov 2022, at 21:53, Chris <bsd-lists@bsdforge.com> wrote: >=20 > On 2022-11-15 12:47, void wrote: >> Hi, >> Is there any advantage to having >> device pf >> options PF_DEFAULT_TO_DROP >> built into the kernel, over having >> "set block-policy drop" in /etc/pf.conf and "pf_enable=3D"YES"" in = /etc/rc.conf?0 >=20 > six of one, or a half dozen of the other. IOW no, not really. :-) The difference is that when pf is being enabled in rc.conf, there is a = time window when the system is =E2=80=9Cunprotected=E2=80=9D, while when pf is built into = kernel with PF_DEFAULT_TO_DROP, the system is not exposed to, potentially, hostile network environment = (as the rules are loaded as part of rc sequence, but you must explicitly allow = traffic). otis =E2=80=94 Juraj Lutter otis@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96B5F854-DD69-478C-BAE0-2E753AA7B8D7>