Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf
from NetBSD ?
Harald Muehlboeck
home at clef.at
Mon Jul 24 09:29:46 UTC 2006
Simon L. Nielsen <simon at nitro.dk> writes:
> On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote:
>
>> The "hole" being discussed is the time, during boot, before pf is fully
>> functional with the production ruleset. For a comparatively long time,
>> the pf module isn't even loaded yet.
>>
>> So, you first need to check the boot sequence for
>>
>> - interfaces being brought up before pf is loaded
>> - addresses assigned to those interfaces
>> - daemons starting and listening on those addresses
>> - route table getting set up
>> - IP forwarding getting enabled
>> - etc.
>
> Since nobody else seems to have actually done this, I took a look at
> FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
> see a hole. Most importantly pf is enabled before routing.
> # rcorder -s nostart /etc/rc.d/*
[...]
> /etc/rc.d/ipfilter
> [...]
> /etc/rc.d/sysctl
[...]
> /etc/rc.d/pf
> /etc/rc.d/routing
> [...]
But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as
well as many other options like bridging, ... (I don't know if it is
usual to do so)
More information about the freebsd-security
mailing list