Patch for adding "options PF_DEFAULT_TO_DROP" to kernel
configuration file
Damien Fleuriot
ml at my.gd
Fri Sep 14 16:52:02 UTC 2012
On 13 Sep 2012, at 23:26, Olivier Cochard-Labbé <olivier at cochard.me> wrote:
> Hi,
> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new
> option to the kernel configuration file:
> options PF_DEFAULT_TO_DROP
>
> Without this option, with an empty pf.conf: All traffic are permit.
> With this option enabled, with an empty pf.conf: All traffic are
> dropped by default.
>
> If the attached file is removed, you can found the patch here:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=171622
>
> Regards,
>
> Olivier
> <freebsd.pf_drop.patch>
Is there any point to this ?
I mean, PF has to be enabled manually anyway, so it's not like it adds any kind of default security.
Worse, it could lock careless people out.
People able to use this (read: who can rebuild a kernel) likely are intelligent enough to cobble up a default block rule for their pf.conf.
More information about the freebsd-pf
mailing list