Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.c
Hi,
Daniel Hartmeier wrote:
> You claimed there was a hole. If you can't explain what it consists of
> ("thing X might get exposed prior to rc.d/pf due to the following
> sequence of events..."),
On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that
pf is run after netif so if one is using only pf as firewall,
there is a window between run of "netif" and "pf" where network
interfaces are up but there is no firewall loaded. Adding
pf_boot, which runs before "netif" would fix this, woudn't it ?
Please correct me if I'm wrong here (that would be nice since
then there wouldn't be any problem at all).
> blindly sticking in pf_boot at some convenient
> place in the boot order is not guaranteed to solve more than it can
> break.
I don't think I have been talking about blindly sticking pf_boot
into boot order. I would only like to be sure that there *is* no
hole. I have been suggesting about using pf_boot because it
seeems to be the approach used in other bsds (well, I must admit
that I didn't check how OpenBSD does it, but I know that there
is somekind of boot-time ruleset there). I assumed that since
the pf_boot solution is there possible problems with it had been
ironed out on other bsds.
Even Windows XP has boot-time firewall protection today - we
don't want to be worse than them, do we :-)
Ari S.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 7 篇):