Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Max Laier
max at love2party.net
Mon Jul 17 09:13:57 UTC 2006
[Replying to the latest message available]
Okay, now this is getting pretty pointless. It started out pretty promissing
with an attempt to really investigate into a problem that might exist with
the way we boot up pf. No-one has yet provided evidence that it does exist,
though. What Daniel and others have suggested is, that interested parties
look at the boot process closely, identify possible windows of vulnarability
and propose a *proper* fix in form of reorder of the boot process, an early
pf_boot or something else.
As more and more people are screaming for rope to hang themself with, I am
going to provide it. As we have established, the "fix" is a three line
change in pf_ioctl.c and otherwise non-intrusive. You will of course have to
rewrite your rulesets if you have a default to block policy, but since you
care about security, that's a little price to pay - right?
I would love to see somebody[tm] *really* looking into the boot process and
come up with a sollution if we do have a problem there.
Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of
cool-off time, if people then still think it's a good idea then, I'll commit
it.
Thanks.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060717/a4eced2c/attachment.pgp
More information about the freebsd-pf
mailing list