Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

Max Laier max at love2party.net
Sun Jul 16 22:17:15 UTC 2006 

On Sunday 16 July 2006 23:44, Daniel Hartmeier wrote:
> On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote:
> > > Hence, a "default block" switch or compile time option _within_ pf is
> > > not going to make any difference.
> >
> > Sure it will, if pf is compiled into the kernel or loaded by the BTX
> > loader.
>
> Ok, in that case I guess you want to enable pf by default, too.
>
> I haven't tried it in this mode, but the default block can be achieved
> by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
>
> -       pf_default_rule.action = PF_PASS;
> +       pf_default_rule.action = PF_DROP;
>
>         bzero(&pf_status, sizeof(pf_status));
> +	pf_status.running = 1;

You will also need this (just one line below):

    pf_pfil_hooked = 0;
+   error = hook_pf();
+   if (error || !pf_pfil_hooked)
+      panic("Unable to protect you from the scary internet!");

> That would then block all packets on all interfaces, until a ruleset is
> loaded. If anything started through the startup scripts needs unblocked
> packets (including the production ruleset loading requiring name
> resolution over network), you'd need to first load a simpler temporary
> ruleset to pass that, and finally replace it with the production
> ruleset.
>
> And, of course, if the boot sequence for any reason doesn't reach that
> point, you can only fix stuff with local access... :)
>
> I'm not sure the average user _really_ is worried enough about that
> half a second period on boot. But I DO know there will be people locking
> themselves out from far-away remote hosts (on updates, for instance) if
> this becomes the default.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060716/4d51e12e/attachment.pgp

More information about the freebsd-security mailing list