Hi,
Daniel Hartmeier wrote:
And to get rid of the "hole", you need to get the order right so there
is nothing being exposed before the pf module is loaded. Once you have
ensured that nothing gets exposed before rc.d/pf is started, it's
trivial to make sure that that script only exits after pf has been
enabled and the production ruleset is in place.
Too much tuning on security-related issue. The standard startup
sequence should be secure. I really cannot understand what there
is so bad on /etc/rc.d/pf_boot that it cannot be added to
FreeBSD as NetBSD & OpenBSD use it or something similar.
I'm not yelling after default block - others are and use it as
a reason not to use something like pf_boot.
I think the chronological placement of rc.d/pf is already meant to
achieve precisely that, have you actually checked the rc.d scripts and
found some order that needs to be adjusted?
I could of course adjust my rc.d scripts, but I would very much
appreciate that security-related things are there correctly in
standard setup.
I'll try to port pf_boot myself if nobody else volunteers.
(I don't think there is much porting to do, however).
Ari S.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
