Re: pf options in kernel
- Reply: Chris : "Re: pf options in kernel"
- In reply to: Chris : "Re: pf options in kernel"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Nov 2022 21:02:50 UTC
> On 15 Nov 2022, at 21:53, Chris <bsd-lists@bsdforge.com> wrote: > > On 2022-11-15 12:47, void wrote: >> Hi, >> Is there any advantage to having >> device pf >> options PF_DEFAULT_TO_DROP >> built into the kernel, over having >> "set block-policy drop" in /etc/pf.conf and "pf_enable="YES"" in /etc/rc.conf?0 > > six of one, or a half dozen of the other. IOW no, not really. :-) The difference is that when pf is being enabled in rc.conf, there is a time window when the system is “unprotected”, while when pf is built into kernel with PF_DEFAULT_TO_DROP, the system is not exposed to, potentially, hostile network environment (as the rules are loaded as part of rc sequence, but you must explicitly allow traffic). otis — Juraj Lutter otis@FreeBSD.org