On Sun, Jan 30, 2011 at 10:48:17PM +0100, Henning Brauer wrote:
| * Peter Hessler <phess...@theapt.org> [2011-01-30 22:23]:
| > On 2011 Jan 30 (Sun) at 19:04:50 +0100 (+0100), Henning Brauer wrote:
| > :* Stuart Henderson <s...@spacehopper.org> [2011-01-30 19:03]:
| > :> I disagree, I think it is worth mentioning explicity - I have seen
| > :> a few people run into problems because they don't realise the implicit
| > :> rule is effectively "pass flags any no state".
| > :
| > :hmm. ppl should not rely on the implicit pass at all.
| > :last not least we put an explicit pass rule in the default pf.conf.
| > :
| > agreed, but this is a point of confusion for many.
|
| is that really the case?
I was confused by it, definitely. After the move to 'pass keeps state
by default', I ran into a situation where I expected having pf enabled
with block rules only for specific traffic would keep state. Took
some time to figure out my assumption was wrong.
| that isn'y new behaviour, and I don't remember anything in that
| direction coming up before.
| my fear is simply that: the more we talk about this default pass
| behaviour, the more ppl might find it clever to rely on it. and that
| is bad.
I think people already rely on it; my bet is that defaulting to 'block
all' would make many peoples firewalls give them unexpected results
(which is a problem all by itself, but that's beside the point :)
Paul
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
