Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Daniel Hartmeier
daniel at benzedrine.cx
Sun Jul 16 21:45:03 UTC 2006
On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote:
> > Hence, a "default block" switch or compile time option _within_ pf is
> > not going to make any difference.
>
> Sure it will, if pf is compiled into the kernel or loaded by the BTX
> loader.
Ok, in that case I guess you want to enable pf by default, too.
I haven't tried it in this mode, but the default block can be achieved
by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
- pf_default_rule.action = PF_PASS;
+ pf_default_rule.action = PF_DROP;
bzero(&pf_status, sizeof(pf_status));
+ pf_status.running = 1;
That would then block all packets on all interfaces, until a ruleset is
loaded. If anything started through the startup scripts needs unblocked
packets (including the production ruleset loading requiring name
resolution over network), you'd need to first load a simpler temporary
ruleset to pass that, and finally replace it with the production
ruleset.
And, of course, if the boot sequence for any reason doesn't reach that
point, you can only fix stuff with local access... :)
I'm not sure the average user _really_ is worried enough about that
half a second period on boot. But I DO know there will be people locking
themselves out from far-away remote hosts (on updates, for instance) if
this becomes the default.
Daniel
More information about the freebsd-security
mailing list