From owner-freebsd-pf@FreeBSD.ORG Sun Jul 16 18:53:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B27B316A4DF; Sun, 16 Jul 2006 18:53:23 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout4-sn1.fre.skanova.net (pne-smtpout4-sn1.fre.skanova.net [81.228.11.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F2B743D49; Sun, 16 Jul 2006 18:53:22 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout4-sn1.fre.skanova.net (7.2.075) id 44A36A0A00086378; Sun, 16 Jul 2006 20:53:21 +0200 Received: from [127.0.0.1] (orava.suutari.iki.fi [192.168.60.101]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6GIrIDc001761; Sun, 16 Jul 2006 21:53:19 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44BA8A95.10300@suutari.iki.fi> Date: Sun, 16 Jul 2006 21:51:01 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Daniel Hartmeier References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2006 18:53:23 -0000 Hi, Daniel Hartmeier wrote: > And to get rid of the "hole", you need to get the order right so there > is nothing being exposed before the pf module is loaded. Once you have > ensured that nothing gets exposed before rc.d/pf is started, it's > trivial to make sure that that script only exits after pf has been > enabled and the production ruleset is in place. Too much tuning on security-related issue. The standard startup sequence should be secure. I really cannot understand what there is so bad on /etc/rc.d/pf_boot that it cannot be added to FreeBSD as NetBSD & OpenBSD use it or something similar. I'm not yelling after default block - others are and use it as a reason not to use something like pf_boot. > I think the chronological placement of rc.d/pf is already meant to > achieve precisely that, have you actually checked the rc.d scripts and > found some order that needs to be adjusted? I could of course adjust my rc.d scripts, but I would very much appreciate that security-related things are there correctly in standard setup. I'll try to port pf_boot myself if nobody else volunteers. (I don't think there is much porting to do, however). Ari S.