On 7/17/06, Simon L. Nielsen <[EMAIL PROTECTED]> wrote:
Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens...
Since you mention it, this would have been useful to me too. My dynamic firewall daemon manages the ruleset (see homepage), and not all rules are sent to pf at once, and the active rules persist across reboots. In my case, I made a simple error in the script, it flushed the rules (I think...), failed to load a ruleset, but in any case I ended up with an invalid ruleset at boot time, and consequently a completely open firewall. Subsequent to this, I made sure it wouldn't happen again in various ways, but since I didn't have adequate reporting I didn't know it was wide open until several days later. It may be that I hung myself, but I'm pretty good with firewalls and if it can happen to me it can happen to others. OTOH, if it had had default block, I would have known immediately. Fortunately I didn't seem to suffer any ill effects; the obsd firewall runs minimal services. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
