Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf
from NetBSD ?
Ari Suutari
ari at suutari.iki.fi
Mon Jul 17 18:59:20 UTC 2006
Hi,
Simon L. Nielsen wrote:
> Since nobody else seems to have actually done this, I took a look at
> FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
> see a hole. Most importantly pf is enabled before routing.
I did this yesterday, but this thread has gotten quite active
so maybe you lost the results. But my findings were same as
yours: pf is enabled before routing which means that the
hole I was afraid of doesn't exist.
>
> Personally I would still like a default to deny knob, but that's
> mainly to handle the case of an invalid ruleset which causes pf to be
> left open. Yes, this is only a problem when the admin screws up, but
> it happens...
Yes, and it might be quite common: some edits ruleset but
leaves it unfinished because other, more high-priority
jobs arrive (from boss...) and the someone other accidentally
reboots your firewall... Default deny (or rc.d/pf_boot) would
help here.
Ari S.
More information about the freebsd-security
mailing list