Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

From: Ari Suutari <ari@xxxxxxxxxxxxxx>
Date: Sun, 16 Jul 2006 21:51:01 +0300

Hi,

Daniel Hartmeier wrote:

And to get rid of the "hole", you need to get the order right so there
is nothing being exposed before the pf module is loaded. Once you have
ensured that nothing gets exposed before rc.d/pf is started, it's
trivial to make sure that that script only exits after pf has been
enabled and the production ruleset is in place.

Too much tuning on security-related issue. The standard startup
sequence should be secure. I really cannot understand what there
is so bad on /etc/rc.d/pf_boot that it cannot be added to
FreeBSD as NetBSD & OpenBSD use it or something similar.

I'm not yelling after default block - others are and use it as
a reason not to use something like pf_boot.

I think the chronological placement of rc.d/pf is already meant to
achieve precisely that, have you actually checked the rc.d scripts and
found some order that needs to be adjusted?

I could of course adjust my rc.d scripts, but I would very much
appreciate that security-related things are there correctly in
standard setup.

I'll try to port pf_boot myself if nobody else volunteers.
(I don't think there is much porting to do, however).

Ari S.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
  - From: Daniel Hartmeier

References:
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
  - From: Ari Suutari
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
  - From: Daniel Hartmeier

Prev by Date: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
Next by Date: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
Previous by thread: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
Next by thread: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
Index(es):
- Date
- Thread

Relevant Pages

Re: $ENV{CONTENT_LENGTH} / STDIN
... >> reason for a form in the first place. ... than about every other aspect of writing a script. ... > insecure may be perfect in the lab, but useless in the real world. ... hard-coded validation, rather than hard-coded names. ...
(comp.lang.perl.misc)
Re: Is there a correct place to put javascript within a html file?
... The HTML specification tells you where script elements are permitted: ... script files have downloaded and if they're all in the head ... ... like the sensible thing to do; at least there's a reason for it. ... javascript is positioned just before the then the various html ...
(comp.lang.javascript)
Re: Barbara Thiering Refuted!
... the particular script. ... John Byrne did. ... THIS HYPOTHESIS for the reason...what was the reason, ... capable of looking up the straight lines and crunching the numbers. ...
(sci.archaeology)
Re: Barbara Thiering Refuted!
... the particular script. ... John Byrne did. ... THIS HYPOTHESIS for the reason...what was the reason, ... capable of looking up the straight lines and crunching the numbers. ...
(sci.archaeology)
Re: Javascript Best Practices Document v1.0
... that document.formsis a bad practice when it is a DOM 2 HTML valid practice in XHTML ... The sole purpose of the unary plus operator is to convert its operand to a number. ... If the script cannot act, for whatever reason, the user is left with a link that doesn't do anything. ...
(comp.lang.javascript)