Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
max at love2party.net
Sun Jul 16 22:17:15 UTC 2006
On Sunday 16 July 2006 23:44, Daniel Hartmeier wrote:
> On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote:
> > > Hence, a "default block" switch or compile time option _within_ pf is
> > > not going to make any difference.
> > Sure it will, if pf is compiled into the kernel or loaded by the BTX
> > loader.
> Ok, in that case I guess you want to enable pf by default, too.
> I haven't tried it in this mode, but the default block can be achieved
> by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
> - pf_default_rule.action = PF_PASS;
> + pf_default_rule.action = PF_DROP;
> bzero(&pf_status, sizeof(pf_status));
> + pf_status.running = 1;
You will also need this (just one line below):
pf_pfil_hooked = 0;
+ error = hook_pf();
+ if (error || !pf_pfil_hooked)
+ panic("Unable to protect you from the scary internet!");
> That would then block all packets on all interfaces, until a ruleset is
> loaded. If anything started through the startup scripts needs unblocked
> packets (including the production ruleset loading requiring name
> resolution over network), you'd need to first load a simpler temporary
> ruleset to pass that, and finally replace it with the production
> And, of course, if the boot sequence for any reason doesn't reach that
> point, you can only fix stuff with local access... :)
> I'm not sure the average user _really_ is worried enough about that
> half a second period on boot. But I DO know there will be people locking
> themselves out from far-away remote hosts (on updates, for instance) if
> this becomes the default.
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060716/4d51e12e/attachment.pgp
More information about the freebsd-security