Simon L. Nielsen <[EMAIL PROTECTED]> writes: > On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > >> The "hole" being discussed is the time, during boot, before pf is fully >> functional with the production ruleset. For a comparatively long time, >> the pf module isn't even loaded yet. >> >> So, you first need to check the boot sequence for >> >> - interfaces being brought up before pf is loaded >> - addresses assigned to those interfaces >> - daemons starting and listening on those addresses >> - route table getting set up >> - IP forwarding getting enabled >> - etc. > > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing.
> # rcorder -s nostart /etc/rc.d/* [...] > /etc/rc.d/ipfilter > [...] > /etc/rc.d/sysctl [...] > /etc/rc.d/pf > /etc/rc.d/routing > [...] But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as well as many other options like bridging, ... (I don't know if it is usual to do so) _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
