On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Smørgrav wrote:
> > Hence, a "default block" switch or compile time option _within_ pf is
> > not going to make any difference.
>
> Sure it will, if pf is compiled into the kernel or loaded by the BTX
> loader.
Ok, in that case I guess you want to enable pf by default, too.
I haven't tried it in this mode, but the default block can be achieved
by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
- pf_default_rule.action = PF_PASS;
+ pf_default_rule.action = PF_DROP;
bzero(&pf_status, sizeof(pf_status));
+ pf_status.running = 1;
That would then block all packets on all interfaces, until a ruleset is
loaded. If anything started through the startup scripts needs unblocked
packets (including the production ruleset loading requiring name
resolution over network), you'd need to first load a simpler temporary
ruleset to pass that, and finally replace it with the production
ruleset.
And, of course, if the boot sequence for any reason doesn't reach that
point, you can only fix stuff with local access... :)
I'm not sure the average user _really_ is worried enough about that
half a second period on boot. But I DO know there will be people locking
themselves out from far-away remote hosts (on updates, for instance) if
this becomes the default.
Daniel
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
