Re: Any ongoing effort to port /etc/rc.d/pf_boot,
--nextPart9370727.r2jcNg7TsT
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
[Replying to the latest message available]
Okay, now this is getting pretty pointless. It started out pretty promissi=
ng=20
with an attempt to really investigate into a problem that might exist with=
=20
the way we boot up pf. No-one has yet provided evidence that it does exist=
,=20
though. What Daniel and others have suggested is, that interested parties=
=20
look at the boot process closely, identify possible windows of vulnarabilit=
y=20
and propose a *proper* fix in form of reorder of the boot process, an early=
=20
pf_boot or something else.
As more and more people are screaming for rope to hang themself with, I am=
=20
going to provide it. As we have established, the "fix" is a three line=20
change in pf_ioctl.c and otherwise non-intrusive. You will of course have =
to=20
rewrite your rulesets if you have a default to block policy, but since you=
=20
care about security, that's a little price to pay - right?
I would love to see somebody[tm] *really* looking into the boot process and=
=20
come up with a sollution if we do have a problem there.
Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of=20
cool-off time, if people then still think it's a good idea then, I'll commi=
t=20
it.
Thanks.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart9370727.r2jcNg7TsT
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)
iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3
9ST0ZlzZM2H/4vW0C4V1CX4=
=anvo
-----END PGP SIGNATURE-----
--nextPart9370727.r2jcNg7TsT--
討論串 (同標題文章)
完整討論串 (本文為第 14 之 16 篇):