Date: Wed, 16 Nov 2022 00:58:51 +0000 From: void <void@f-m.fm> To: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Message-ID: <Y3Q1y4GNf3A4xyUQ@openbsd.local> In-Reply-To: <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org> References: <Y3P69NuvWOhxdmux@openbsd.local> <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote: >Configure this in your pf.conf file, not as a kernel option. > >There’s at least one known bug with PF_DEFAULT_TO_DROP: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477 Thanks, noted. >As a general rule you should avoid custom kernel options whenever it’s >remotely possible. I've always thought having a kernel trimmed to only what is required, from a security standpoint, diminishes the attack surface. Is this not the case? --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Y3Q1y4GNf3A4xyUQ>