Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?



Daniel Hartmeier <daniel@xxxxxxxxxxxxx> writes:

On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote:

I haven't verified that this is the _only_ change needed to make PF
block everything by default, but having it as a compile-time option
which defaults to block everything would be nice, right?

Sure, when FreeBSD's default becomes to compile pf into the kernel or load
it by BTX, that makes sense. Otherwise it doesn't.

What do you mean with default?

None of the the firewalls available with FreeBSD (ipfw, ipf, pf) is
part of the GENERIC Kernel. But many users will compile the firewall
of their choise into their CUSTOM kernels.

For ipfw and ipf this can be done either with "default to accept" or
"default to deny" ploicy by adding the option

options IPVFIREWALL_DEFAULT_TO_DENY
or
options IPFILTER_DEFAULT_BLOCK

to the custom kernel configruation file.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"