Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Greg Hennessy
Greg.Hennessy at nviz.net
Sun Jul 16 22:56:39 UTC 2006
> I'm not sure the average user _really_ is worried enough
> about that half a second period on boot. But I DO know there
> will be people locking themselves out from far-away remote
> hosts (on updates, for instance) if this becomes the default.
That is pretty much guaranteed. Murphy will always find a way to f*ck up a
reboot and simultaneously cause the 2611 on the console port to halt and
catch fire.
If punters want a default block, IMHO it doesn’t get much easier than using
the mac_ifoff(4) kernel option discussed earlier on in the week, they can
tweak the pf startup to twiddle the relevant sysctl appropriately at the
right moment in time.
In order to salve the consciences of those who know naught but tick boxes,
and more importantly make them STFU and annoy someone else.
Perhaps a codicil to the FreeBSD pf.conf manpage, detailing the mac_ifoff
approach as a wholly unsupported solution for 'default block' to satisfy the
anally retentive.
Greg
More information about the freebsd-security
mailing list