Re: Any ongoing effort to port /etc/rc.d/pf_boot,

On 2006-07-16 23:44, Daniel Hartmeier <daniel@benzedrine.cx> wrote:
>On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote:
>>> Hence, a "default block" switch or compile time option _within_ pf is
>>> not going to make any difference.
>>
>> Sure it will, if pf is compiled into the kernel or loaded by the BTX
>> loader.
>
> Ok, in that case I guess you want to enable pf by default, too.
>
> I haven't tried it in this mode, but the default block can be achieved
> by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()
>
> -       pf_default_rule.action = PF_PASS;
> +       pf_default_rule.action = PF_DROP;
>
>         bzero(&pf_status, sizeof(pf_status));
> +	pf_status.running = 1;

If this is the only change needed, then do you think it would be nice to
have it as a compile-time option, like IPFW does?  Something like this
perhaps?

options         PF_DEFAULT_TO_ACCEPT            #allow everything by default

I haven't verified that this is the _only_ change needed to make PF
block everything by default, but having it as a compile-time option
which defaults to block everything would be nice, right?

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"