On 7/14/06, Paul Schenkeveld <[EMAIL PROTECTED]> wrote:
I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK instead of some magic script closing the hole between driver init and configuration. Always wondered how the OpenBSD -securety minded- people have come up with a packet filter that's open by default.
In /etc/rc OpenBSD sets up pfctl before it runs /etc/netstart. The default ruleset is: block all pass on lo0 pass in proto tcp from any to any port 22 keep state pass out proto { tcp, udp } from any to any port 53 keep state pass out inet proto icmp all icmp-type echoreq keep state Then there's some stuff about IPv6 and some stuff for NFS. I'm not sure why they don't use "set skip" or "quick". Still, it'd be nice to have a "default deny" compile option. The question is, where do you check for this thing to be enabled? I suppose you could have both a default-deny compile option and a "block all" at the top of the ruleset (or equivalently a "block quick all" at the end), like wearing a belt and suspenders... wouldn't want installing a new kernel to suddenly open you up, nor would you want to have to remember the default deny rule when playing with different rulesets... -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"