Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.c


Hi,


Daniel Hartmeier wrote:
> And to get rid of the "hole", you need to get the order right so there
> is nothing being exposed before the pf module is loaded. Once you have
> ensured that nothing gets exposed before rc.d/pf is started, it's
> trivial to make sure that that script only exits after pf has been
> enabled and the production ruleset is in place.

	Too much tuning on security-related issue. The standard startup
	sequence should be secure. I really cannot understand what there
	is so bad on /etc/rc.d/pf_boot that it cannot be added to
	FreeBSD as NetBSD & OpenBSD use it or something similar.

	I'm not yelling after default block - others are and use it as
	a reason not to use something like pf_boot.

> I think the chronological placement of rc.d/pf is already meant to
> achieve precisely that, have you actually checked the rc.d scripts and
> found some order that needs to be adjusted?

	I could of course adjust my rc.d scripts, but I would very much
	appreciate that security-related things are there correctly in
	standard setup.

	I'll try to port pf_boot myself if nobody else volunteers.
	(I don't think there is much porting to do, however).

		Ari S.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"