Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.c

Simon L. Nielsen <simon@nitro.dk> writes:
> On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote:
>
>> The "hole" being discussed is the time, during boot, before pf is fully
>> functional with the production ruleset. For a comparatively long time,
>> the pf module isn't even loaded yet. 
>> 
>> So, you first need to check the boot sequence for
>> 
>>   - interfaces being brought up before pf is loaded
>>   - addresses assigned to those interfaces
>>   - daemons starting and listening on those addresses
>>   - route table getting set up
>>   - IP forwarding getting enabled
>>   - etc.
>
> Since nobody else seems to have actually done this, I took a look at
> FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
> see a hole.  Most importantly pf is enabled before routing.

> # rcorder -s nostart /etc/rc.d/*
[...]
> /etc/rc.d/ipfilter
> [...]
> /etc/rc.d/sysctl
[...]
> /etc/rc.d/pf
> /etc/rc.d/routing
> [...]

But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as
well as many other options like bridging, ... (I don't know if it is
usual to do so)

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"