On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > The "hole" being discussed is the time, during boot, before pf is fully > functional with the production ruleset. For a comparatively long time, > the pf module isn't even loaded yet. The time after module load and > enabling pf with the production ruleset is much smaller. > > So, you first need to check the boot sequence for > > - interfaces being brought up before pf is loaded > - addresses assigned to those interfaces > - daemons starting and listening on those addresses > - route table getting set up > - IP forwarding getting enabled > - etc.
Since nobody else seems to have actually done this, I took a look at FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really see a hole. Most importantly pf is enabled before routing. Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens... (I have been looking at a rc.conf know which would only enable routing/forwarding if pf was properly enabled with a configured ruleset, but I haven't gotten around to finishing that.) # rcorder -s nostart /etc/rc.d/* /etc/rc.d/dumpon /etc/rc.d/initrandom /etc/rc.d/geli /etc/rc.d/gbde /etc/rc.d/encswap /etc/rc.d/ccd /etc/rc.d/swap1 /etc/rc.d/mdconfig /etc/rc.d/ramdisk /etc/rc.d/early.sh /etc/rc.d/fsck /etc/rc.d/root /etc/rc.d/mountcritlocal /etc/rc.d/var /etc/rc.d/cleanvar /etc/rc.d/random /etc/rc.d/adjkerntz /etc/rc.d/atm1 /etc/rc.d/hostname /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/kldxref /etc/rc.d/sppp /etc/rc.d/addswap /etc/rc.d/sysctl /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/devd /etc/rc.d/ipsec /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/routing [...] -- Simon L. Nielsen
pgpfg7AN4wSph.pgp
Description: PGP signature
