Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Simon L. Nielsen
simon at nitro.dk
Mon Jul 17 12:21:43 UTC 2006
On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote:
> The "hole" being discussed is the time, during boot, before pf is fully
> functional with the production ruleset. For a comparatively long time,
> the pf module isn't even loaded yet. The time after module load and
> enabling pf with the production ruleset is much smaller.
>
> So, you first need to check the boot sequence for
>
> - interfaces being brought up before pf is loaded
> - addresses assigned to those interfaces
> - daemons starting and listening on those addresses
> - route table getting set up
> - IP forwarding getting enabled
> - etc.
Since nobody else seems to have actually done this, I took a look at
FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
see a hole. Most importantly pf is enabled before routing.
Personally I would still like a default to deny knob, but that's
mainly to handle the case of an invalid ruleset which causes pf to be
left open. Yes, this is only a problem when the admin screws up, but
it happens...
(I have been looking at a rc.conf know which would only enable
routing/forwarding if pf was properly enabled with a configured
ruleset, but I haven't gotten around to finishing that.)
# rcorder -s nostart /etc/rc.d/*
/etc/rc.d/dumpon
/etc/rc.d/initrandom
/etc/rc.d/geli
/etc/rc.d/gbde
/etc/rc.d/encswap
/etc/rc.d/ccd
/etc/rc.d/swap1
/etc/rc.d/mdconfig
/etc/rc.d/ramdisk
/etc/rc.d/early.sh
/etc/rc.d/fsck
/etc/rc.d/root
/etc/rc.d/mountcritlocal
/etc/rc.d/var
/etc/rc.d/cleanvar
/etc/rc.d/random
/etc/rc.d/adjkerntz
/etc/rc.d/atm1
/etc/rc.d/hostname
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/kldxref
/etc/rc.d/sppp
/etc/rc.d/addswap
/etc/rc.d/sysctl
/etc/rc.d/serial
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/ipsec
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/ipfw
/etc/rc.d/nsswitch
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/routing
[...]
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060717/65973ecf/attachment.pgp
More information about the freebsd-pf
mailing list