Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

Gergely CZUCZY phoemix at harmless.hu
Fri Jul 14 17:11:23 UTC 2006 

On Fri, Jul 14, 2006 at 05:47:29PM +0200, Paul Schenkeveld wrote:
> Hello,
> 
> On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote:
> > Hi,
> > 
> > Does anyone know if there are any plans to bring
> > pf boot-time protection (ie. /etc/rc.d/pf_boot and
> > related config files) from NetBSD to FreeBSD ?
> > 
> > This would close small (but as far as I understand existing)
> > window during boot where firewall is fully open (if using only
> > pf).
> 
> I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
> instead of some magic script closing the hole between driver init and
> configuration.  Always wondered how the OpenBSD -securety minded- people
> have come up with a packet filter that's open by default.
> 
> Or am I missing the point here?
On a linux box i'm running i have a 2-state firewall setup, that is
i like it very much.

the states looks like this:
1, bootup) this state only allows DNS and ssh communications,
and as soon as possible at the bootup up process, the box will
apply this ruleset. All the communications are disabled except
the above mentioned ones. Even the running services are unreachable
in this stage

2, online) The box goes to this state when all the services are running
and the bootup process has been completed. in this stage every service
can be accessed.


Using this two state the services can be protected from the clients while
not all of them are started. there are various reasons for this, i mention
some:
- Services may depend each other, and the startup order may not
reflect this
- Services that consists of multiple parts cannot be accessed while
not all parts are up and running, this clients are unable to connect to
the not-yet-fully-started services
- the load at the startup can be pretty high, and the connection clients
would raise this to even higher. this also can be prevented.
- however, all basic (DNS resolving, and ssh for the admin) communication
is allowed at the bootup stage

I think netbsd also had achived a similar propose, also took some of these
ideas, reasons. It would be very nice to have a pf_bootup.conf, which would be
applied as soon as the interfaces are up, but before anything else is started.

Bye,

Gergely Czuczy
mailto: gergely.czuczy at harmless.hu
PGP: http://phoemix.harmless.hu/phoemix.pgp

Weenies test. Geniuses solve problems that arise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060714/2833c68d/attachment.pgp

More information about the freebsd-pf mailing list