Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?



Hi,

[I have added freebsd-security to recipient list as I consider
this issue a security risk]

Paul Schenkeveld wrote:
Hello,

On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote:
Hi,

Does anyone know if there are any plans to bring
pf boot-time protection (ie. /etc/rc.d/pf_boot and
related config files) from NetBSD to FreeBSD ?

This would close small (but as far as I understand existing)
window during boot where firewall is fully open (if using only
pf).

I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
instead of some magic script closing the hole between driver init and
configuration. Always wondered how the OpenBSD -securety minded- people
have come up with a packet filter that's open by default.

There has been discussion about this before. I know that perfect
solution would be PF_DEFAULT_BLOCK, but while waiting for that
I wonder why we cannot have pf_boot, which closes the
boot hole (at least when run with proper filter rules).

I would suggest:

- first port pf_boot which brings us to same level of security
as OpenBSD & NetBSD.
- then, work with PF authors to get PF_DEFAULT_BLOCK if it still
seems necessary.

As pf becomes more and more popular on FreeBSD I see current state
of system as security risk (ie. I won't use pf + FreeBSD on
company firewalls although I would otherwise like to).

Ari S.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: nssswitch - anyone using nss_X ? nss/freebsd complete?
    ... > and completely under FreeBSD. ... this time only passwd and group can be used via nsswitch. ... Do you have an URL about this security risk? ...
    (freebsd-questions)
  • Re: nssswitch - anyone using nss_X ? nss/freebsd complete?
    ... > and completely under FreeBSD. ... this time only passwd and group can be used via nsswitch. ... Do you have an URL about this security risk? ...
    (freebsd-current)
  • Re: Open Vs Free BSD
    ... NetBSD: Run on any hardware ... OpenBSD: ... FreeBSD: ... I like NetBSD (because of the supported platforms - especially RiscPCs - and the clean implementation). ...
    (freebsd-stable)
  • Re: Fwd: That whole "Linux stealing our code" thing
    ... The myth that Theo understands dual licensing? ... It's no longer dual licenced in the FreeBSD tree because the FreeBSD ... FreeBSD doesn't have Reyk's athHAL from OpenBSD, ... dual licenced files planned to make GPL-only ...
    (Linux-Kernel)
  • Re: FreeBSD vs. OpenBSD
    ... Subject: FreeBSD vs. OpenBSD ... you can secure any OS before you put it in the wild. ... | OpenBSD boasts that they test the patch branch before its posted. ...
    (Security-Basics)