Date: Wed, 16 Nov 2022 12:40:03 +0100 From: Kristof Provost <kp@FreeBSD.org> To: void <void@f-m.fm> Cc: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Message-ID: <AD947839-F5D0-4BFC-B954-E727A27BBC87@FreeBSD.org> In-Reply-To: <Y3Q1y4GNf3A4xyUQ@openbsd.local> References: <Y3P69NuvWOhxdmux@openbsd.local> <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org> <Y3Q1y4GNf3A4xyUQ@openbsd.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Nov 2022, at 1:58, void wrote: > On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote: >> Configure this in your pf.conf file, not as a kernel option. >> >> There’s at least one known bug with PF_DEFAULT_TO_DROP: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477 > > Thanks, noted. > >> As a general rule you should avoid custom kernel options whenever it’s remotely possible. > > I've always thought having a kernel trimmed to only what is required, from a security standpoint, diminishes the attack surface. Is this not the case? > No, you just end up running a unique configuration not tested by anyone else. The defaults are the defaults for a reason. Only deviate from them if you understand both why the default is what it is and why it doesn’t work for your use case. Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD947839-F5D0-4BFC-B954-E727A27BBC87>