Patch for adding "options PF_DEFAULT_TO_DROP" to kernel
configuration file
Kimmo Paasiala
kpaasial at gmail.com
Fri Sep 14 21:39:58 UTC 2012
On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot <ml at my.gd> wrote:
>
> On 13 Sep 2012, at 23:26, Olivier Cochard-Labbé <olivier at cochard.me> wrote:
>
>> Hi,
>> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new
>> option to the kernel configuration file:
>> options PF_DEFAULT_TO_DROP
>>
>> Without this option, with an empty pf.conf: All traffic are permit.
>> With this option enabled, with an empty pf.conf: All traffic are
>> dropped by default.
>>
>> If the attached file is removed, you can found the patch here:
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=171622
>>
>> Regards,
>>
>> Olivier
>> <freebsd.pf_drop.patch>
>
>
> Is there any point to this ?
>
> I mean, PF has to be enabled manually anyway, so it's not like it adds any kind of default security.
> Worse, it could lock careless people out.
>
>
> People able to use this (read: who can rebuild a kernel) likely are intelligent enough to cobble up a default block rule for their pf.conf._______________________________________________
If you must do this then please consider adding a /boot/loader.conf
setting instead of kernel configuration option. The option could be
read only on running system or dependent on securelevel(7).
-Kimmo
More information about the freebsd-pf
mailing list