Date: Thu, 13 Sep 2012 23:26:48 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: freebsd-pf@freebsd.org Subject: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi, here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file: options PF_DEFAULT_TO_DROP Without this option, with an empty pf.conf: All traffic are permit. With this option enabled, with an empty pf.conf: All traffic are dropped by default. If the attached file is removed, you can found the patch here: http://www.freebsd.org/cgi/query-pr.cgi?pr=171622 Regards, Olivier [-- Attachment #2 --] --- sys/contrib/pf/net/pf_ioctl.c.orig 2012-09-06 15:47:47.000000000 +0200 +++ sys/contrib/pf/net/pf_ioctl.c 2012-09-06 15:56:16.000000000 +0200 @@ -386,7 +386,11 @@ /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; + #else V_pf_default_rule.action = PF_PASS; + #endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; @@ -473,7 +477,11 @@ /* default rule should never be garbage collected */ pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + pf_default_rule.action = PF_DROP; + #else pf_default_rule.action = PF_PASS; + #endif pf_default_rule.nr = -1; pf_default_rule.rtableid = -1; --- sys/conf/options.orig 2012-09-06 15:59:40.000000000 +0200 +++ sys/conf/options 2012-09-06 16:00:59.000000000 +0200 @@ -426,6 +426,7 @@ NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h --- sys/conf/NOTES.orig 2012-09-06 16:58:11.000000000 +0200 +++ sys/conf/NOTES 2012-09-06 16:14:47.000000000 +0200 @@ -916,6 +916,8 @@ # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -933,6 +935,7 @@ options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG # The MBUF_STRESS_TEST option enables options which create
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw>