Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Travis H.
solinym at gmail.com
Mon Jul 17 03:40:29 UTC 2006
I'm pretty much in agreement on the necessity to examine startup order, &c.
However,
On 7/16/06, Daniel Hartmeier <daniel at benzedrine.cx> wrote:
> That would then block all packets on all interfaces, until a ruleset is
> loaded. If anything started through the startup scripts needs unblocked
> packets (including the production ruleset loading requiring name
> resolution over network), you'd need to first load a simpler temporary
> ruleset to pass that, and finally replace it with the production
> ruleset.
Yes. And it can have other effects, too; for example, squid won't
start up unless DNS is working. And your main firewall ruleset might
have (gasp) DNS names in it... not that
relying on DNS for firewall rules is particularly wise, but it is
certainly much more
manageable, and DNS _can_ be secure for local servers with the right amount of
work. And IPv6 will basically make it effectively mandatory.
> And, of course, if the boot sequence for any reason doesn't reach that
> point, you can only fix stuff with local access... :)
Another person said:
> That is pretty much guaranteed. Murphy will always find a way to f*ck up a
> reboot and simultaneously cause the 2611 on the console port to halt and
> catch fire.
Tradeoff between security and convenience.
Murphy's law cuts both ways; if you're under an aggressive scan and
happen to have a power blip... or if the attacker can get your
firewall to spontaneously reboot... you have problems. The basic
question is; do you want security or availability? Seems to me this
should be a personal choice, and I think both sides have a point.
Making it a compile-time option or sysctl would solve it, wouldn't it?
> I'm not sure the average user _really_ is worried enough about that
> half a second period on boot. But I DO know there will be people locking
> themselves out from far-away remote hosts (on updates, for instance) if
> this becomes the default.
Generally, Unix has provided enough rope for people to hang themselves
(or their servers).
And then he said:
> If punters want a default block, IMHO it doesn't get much easier than using
> the mac_ifoff(4) kernel option discussed earlier on in the week, they can
> tweak the pf startup to twiddle the relevant sysctl appropriately at the
> right moment in time.
It's not particularly maintainable to be tweaking startup scripts; the
tweaks have a way of disappearing during upgrades, and I'm not about
to put all of etc under revision control to track one or two changes.
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-security
mailing list