On 7/5/06, Lars Hansson <[EMAIL PROTECTED]> wrote:
On Thursday 06 July 2006 01:35, c.s.r.c.murthy wrote:
> "block all" in pf.conf is ok, but it will go away when the rules are
> flushed for known/unknown reasons. I feel it is desirable to have a
> kernel parameter that does default blocking when all rules are flushed.
The developers think otherwise:
http://www.benzedrine.cx/pf/msg07442.html
That thread is the result of FreeBSD being lazy in their porting
(because /etc/rc wasn't changed to set up a default 'block all' on
boot before bringing up the network) so it's not directly applicable
to this "rules are flushed" case.
However, why the hell would you ever randomly flush your rules "for
unknown reasons"? You shouldn't be giving people you can't trust not
to do that the ability to do that. As for "known reasons", it's your
own fault if you flush your rules without reloading at least a "block
all". If you just do something like
#pftcl -f all && echo "block all" | pfctl -f -
then the switch over to the new ruleset is pretty snappy and hardly
enough time for any malicious packets to get through.
It shouldn't even be an issue since you shouldn't be testing rules on
a production system anyway, or if you are and you are paranoid then
you can simply 1) take down interfaces before working on pf 2) turn
off routing.
-Nick
