Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

--- Ari Suutari <ari@xxxxxxxxxxxxxx> wrote:
On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that
pf is run after netif so if one is using only pf as firewall,
there is a window between run of "netif" and "pf" where network
interfaces are up but there is no firewall loaded. Adding
pf_boot, which runs before "netif" would fix this, woudn't it ?

Hi!

I would feel better, when the box is either completely unreachable (due to
disabled hardware (e. g. down'ed interface)) or at least protected by a packet
filter _all_ the time...

That is one reason why I use ipfw _and_ pf at the same time on all my boxes...

As you can see in appendix A ipfw2 is initialized even before the hard disks
but after the network interfaces, which are detected some lines early.

Are the NICs still down and _safe_ after that detection phase?
Isn't it possible to just activate pf just like ipfw in order to deny all
incoming and outgoing traffic (to me it looks like a design flaw, when the boot
up scripts rely on a misconfigured/disabled packet filter...)?

Bye
Arne

appendix A:
[...]
Jul 16 06:58:53 neo kernel: vr0: Ethernet address: 00:0a:e6:XX:XX:XX
[...]
Jul 16 06:58:53 neo kernel: ipfw2 (+ipv6) initialized, divert loadable,
rule-bas
ed forwarding disabled, default to deny, logging disabled
Jul 16 06:58:53 neo kernel: ad0: 194481MB <Maxtor 6L200P0 BAH41E00> at
ata0-mast
er UDMA133

[...]

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"