Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.c
Hi,
Simon L. Nielsen wrote:
> Since nobody else seems to have actually done this, I took a look at
> FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
> see a hole. Most importantly pf is enabled before routing.
I did this yesterday, but this thread has gotten quite active
so maybe you lost the results. But my findings were same as
yours: pf is enabled before routing which means that the
hole I was afraid of doesn't exist.
>
> Personally I would still like a default to deny knob, but that's
> mainly to handle the case of an invalid ruleset which causes pf to be
> left open. Yes, this is only a problem when the admin screws up, but
> it happens...
Yes, and it might be quite common: some edits ruleset but
leaves it unfinished because other, more high-priority
jobs arrive (from boss...) and the someone other accidentally
reboots your firewall... Default deny (or rc.d/pf_boot) would
help here.
Ari S.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 7 篇):