* c.s.r.c.murthy <[EMAIL PROTECTED]> [2006-07-05 07:25]:
> "block all" in pf.conf is ok, but it will go away when the rules are
> flushed for known/unknown reasons. I feel it is desirable to have a
> kernel parameter that does default blocking when all rules are flushed.
then certainly you want the patch below, to protect the ruleset beeing
replaced by
pass all
for known/unknown reasons.
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.512
diff -u -p -r1.512 pf.c
--- pf.c 17 May 2006 14:50:47 -0000 1.512
+++ pf.c 5 Jul 2006 11:16:05 -0000
@@ -5847,6 +5847,8 @@ pf_test(int dir, struct ifnet *ifp, stru
struct pf_pdesc pd;
int off, dirndx, pqid = 0;
+ return (PF_DROP);
+
if (!pf_status.running)
return (PF_PASS);
@@ -6175,6 +6177,8 @@ pf_test6(int dir, struct ifnet *ifp, str
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
int off, terminal = 0, dirndx;
+
+ return (PF_DROP);
if (!pf_status.running)
return (PF_PASS);
--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
