Date: Tue, 15 Nov 2022 22:02:50 +0100 From: Juraj Lutter <otis@FreeBSD.org> To: Chris <bsd-lists@bsdforge.com> Cc: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Message-ID: <96B5F854-DD69-478C-BAE0-2E753AA7B8D7@FreeBSD.org> In-Reply-To: <956b5ca1d8632e9a497cec80969096e0@bsdforge.com> References: <Y3P69NuvWOhxdmux@openbsd.local> <956b5ca1d8632e9a497cec80969096e0@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 15 Nov 2022, at 21:53, Chris <bsd-lists@bsdforge.com> wrote: > > On 2022-11-15 12:47, void wrote: >> Hi, >> Is there any advantage to having >> device pf >> options PF_DEFAULT_TO_DROP >> built into the kernel, over having >> "set block-policy drop" in /etc/pf.conf and "pf_enable="YES"" in /etc/rc.conf?0 > > six of one, or a half dozen of the other. IOW no, not really. :-) The difference is that when pf is being enabled in rc.conf, there is a time window when the system is “unprotected”, while when pf is built into kernel with PF_DEFAULT_TO_DROP, the system is not exposed to, potentially, hostile network environment (as the rules are loaded as part of rc sequence, but you must explicitly allow traffic). otis — Juraj Lutter otis@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96B5F854-DD69-478C-BAE0-2E753AA7B8D7>