Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Travis H.
solinym at gmail.com
Sat Jul 15 14:22:03 UTC 2006
On 7/14/06, Paul Schenkeveld <fb-pf at psconsult.nl> wrote:
> I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
> instead of some magic script closing the hole between driver init and
> configuration. Always wondered how the OpenBSD -securety minded- people
> have come up with a packet filter that's open by default.
In /etc/rc OpenBSD sets up pfctl before it runs /etc/netstart.
The default ruleset is:
block all
pass on lo0
pass in proto tcp from any to any port 22 keep state
pass out proto { tcp, udp } from any to any port 53 keep state
pass out inet proto icmp all icmp-type echoreq keep state
Then there's some stuff about IPv6 and some stuff for NFS.
I'm not sure why they don't use "set skip" or "quick".
Still, it'd be nice to have a "default deny" compile option.
The question is, where do you check for this thing to be enabled? I
suppose you could have both a default-deny compile option and a "block
all" at the top of the ruleset (or equivalently a "block quick all" at
the end), like wearing a belt and suspenders... wouldn't want
installing a new kernel to suddenly open you up, nor would you want to
have to remember the default deny rule when playing with different
rulesets...
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-pf
mailing list