On 7/14/06, Ari Suutari <[EMAIL PROTECTED]> wrote:
Hi,
Vlad GALU wrote:
> On 7/14/06, Ari Suutari <[EMAIL PROTECTED]> wrote:
>> Hi,
>>
>> Does anyone know if there are any plans to bring
>> pf boot-time protection (ie. /etc/rc.d/pf_boot and
>> related config files) from NetBSD to FreeBSD ?
>>
>> This would close small (but as far as I understand existing)
>> window during boot where firewall is fully open (if using only
>> pf).
>>
>
> See the mac_ifoff(4) manpage. You can disable your interfaces until
> the system is fully booted.
How well would this work ? I think that idea of pf_boot
is to disable incoming traffic, but allow certain outgoing
traffic like dns. If dns doesn't work during startup (don't
really know about mac_ifoff yet) it will cause problems, for
example sendmail startup might hang for a while.
It would disable all traffic until the system is up. That
includes outgoing traffic. Basically the problem is that pf, unlike
ipf/ipfw, doesn't have a "block everything by default" option, so the
firewall is open until the ruleset has been loaded. That can be solved
by either adding such an option or by having a "block all" rule
inserted early in the booting process, which would be removed upon
loading the rules from pf.conf. I think (I didn't check) that this is
exactly what the NetBSD script Simon was telling us about does.
Ari S.
--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
