On 7/14/06, Paul Schenkeveld <[EMAIL PROTECTED]> wrote:
I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
instead of some magic script closing the hole between driver init and
configuration.  Always wondered how the OpenBSD -securety minded- people
have come up with a packet filter that's open by default.

In /etc/rc OpenBSD sets up pfctl before it runs /etc/netstart.

The default ruleset is:
block all
pass on lo0
pass in proto tcp from any to any port 22 keep state
pass out proto { tcp, udp } from any to any port 53 keep state
pass out inet proto icmp all icmp-type echoreq keep state

Then there's some stuff about IPv6 and some stuff for NFS.

I'm not sure why they don't use "set skip" or "quick".

Still, it'd be nice to have a "default deny" compile option.

The question is, where do you check for this thing to be enabled?  I
suppose you could have both a default-deny compile option and a "block
all" at the top of the ruleset (or equivalently a "block quick all" at
the end), like wearing a belt and suspenders... wouldn't want
installing a new kernel to suddenly open you up, nor would you want to
have to remember the default deny rule when playing with different
rulesets...
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to