Re: Any ongoing effort to port /etc/rc.d/pf_boot,

--- Ari Suutari <ari@suutari.iki.fi> wrote:
> 	On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that
> 	pf is run after netif so if one is using only pf as firewall,
> 	there is a window between run of "netif" and "pf" where network
> 	interfaces are up but there is no firewall loaded. Adding
> 	pf_boot, which runs before "netif" would fix this, woudn't it ?
> 
Hi!

I would feel better, when the box is either completely unreachable (due to
disabled hardware (e. g. down'ed interface)) or at least protected by a packet
filter _all_ the time...

That is one reason why I use ipfw _and_ pf at the same time on all my boxes...

As you can see in appendix A ipfw2 is initialized even before the hard disks
but after the network interfaces, which are detected some lines early.

Are the NICs still down and _safe_ after that detection phase?
Isn't it possible to just activate pf just like ipfw in order to deny all
incoming and outgoing traffic (to me it looks like a design flaw, when the boot
up scripts rely on a misconfigured/disabled packet filter...)?

Bye
Arne

appendix A:
[...]
Jul 16 06:58:53 neo kernel: vr0: Ethernet address: 00:0a:e6:XX:XX:XX
[...]
Jul 16 06:58:53 neo kernel: ipfw2 (+ipv6) initialized, divert loadable,
rule-bas
ed forwarding disabled, default to deny, logging disabled
Jul 16 06:58:53 neo kernel: ad0: 194481MB <Maxtor 6L200P0 BAH41E00> at
ata0-mast
er UDMA133

[...]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"