Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

On 2006-07-16 23:44, Daniel Hartmeier <daniel@xxxxxxxxxxxxx> wrote:
On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote:
Hence, a "default block" switch or compile time option _within_ pf is
not going to make any difference.

Sure it will, if pf is compiled into the kernel or loaded by the BTX
loader.

Ok, in that case I guess you want to enable pf by default, too.

I haven't tried it in this mode, but the default block can be achieved
by simply changing sys/contrib/pf/pf_ioctl.c pf_attach()

- pf_default_rule.action = PF_PASS;
+ pf_default_rule.action = PF_DROP;

bzero(&pf_status, sizeof(pf_status));
+ pf_status.running = 1;

If this is the only change needed, then do you think it would be nice to
have it as a compile-time option, like IPFW does? Something like this
perhaps?

options PF_DEFAULT_TO_ACCEPT #allow everything by default

I haven't verified that this is the _only_ change needed to make PF
block everything by default, but having it as a compile-time option
which defaults to block everything would be nice, right?

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: ANNOUNCE: SHA-224 in Digest::SHA
    ... > that this is the sort of functionality that ought to be controlled at ... You want the bitstrings to be a compile-time option because they ...
    (sci.crypt)
  • Re: interface blocks
    ... > headers in the standard fashion). ... the INTERFACE at compile-time. ... INTERFACE blocks are not checked against the actual ... The only thing the loader ...
    (comp.lang.fortran)