Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?



Hi,

[I have added freebsd-security to recipient list as I consider
this issue a security risk]

Paul Schenkeveld wrote:
Hello,

On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote:
Hi,

Does anyone know if there are any plans to bring
pf boot-time protection (ie. /etc/rc.d/pf_boot and
related config files) from NetBSD to FreeBSD ?

This would close small (but as far as I understand existing)
window during boot where firewall is fully open (if using only
pf).

I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
instead of some magic script closing the hole between driver init and
configuration. Always wondered how the OpenBSD -securety minded- people
have come up with a packet filter that's open by default.

There has been discussion about this before. I know that perfect
solution would be PF_DEFAULT_BLOCK, but while waiting for that
I wonder why we cannot have pf_boot, which closes the
boot hole (at least when run with proper filter rules).

I would suggest:

- first port pf_boot which brings us to same level of security
as OpenBSD & NetBSD.
- then, work with PF authors to get PF_DEFAULT_BLOCK if it still
seems necessary.

As pf becomes more and more popular on FreeBSD I see current state
of system as security risk (ie. I won't use pf + FreeBSD on
company firewalls although I would otherwise like to).

Ari S.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages