Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?



I'm pretty much in agreement on the necessity to examine startup order, &c.

However,

On 7/16/06, Daniel Hartmeier <daniel@xxxxxxxxxxxxx> wrote:
That would then block all packets on all interfaces, until a ruleset is
loaded. If anything started through the startup scripts needs unblocked
packets (including the production ruleset loading requiring name
resolution over network), you'd need to first load a simpler temporary
ruleset to pass that, and finally replace it with the production
ruleset.

Yes. And it can have other effects, too; for example, squid won't
start up unless DNS is working. And your main firewall ruleset might
have (gasp) DNS names in it... not that
relying on DNS for firewall rules is particularly wise, but it is
certainly much more
manageable, and DNS _can_ be secure for local servers with the right amount of
work. And IPv6 will basically make it effectively mandatory.

And, of course, if the boot sequence for any reason doesn't reach that
point, you can only fix stuff with local access... :)

Another person said:
That is pretty much guaranteed. Murphy will always find a way to f*ck up a
reboot and simultaneously cause the 2611 on the console port to halt and
catch fire.

Tradeoff between security and convenience.

Murphy's law cuts both ways; if you're under an aggressive scan and
happen to have a power blip... or if the attacker can get your
firewall to spontaneously reboot... you have problems. The basic
question is; do you want security or availability? Seems to me this
should be a personal choice, and I think both sides have a point.
Making it a compile-time option or sysctl would solve it, wouldn't it?

I'm not sure the average user _really_ is worried enough about that
half a second period on boot. But I DO know there will be people locking
themselves out from far-away remote hosts (on updates, for instance) if
this becomes the default.

Generally, Unix has provided enough rope for people to hang themselves
(or their servers).

And then he said:
If punters want a default block, IMHO it doesn't get much easier than using
the mac_ifoff(4) kernel option discussed earlier on in the week, they can
tweak the pf startup to twiddle the relevant sysctl appropriately at the
right moment in time.

It's not particularly maintainable to be tweaking startup scripts; the
tweaks have a way of disappearing during upgrades, and I'm not about
to put all of etc under revision control to track one or two changes.
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Loading firewall at boot
    ... The ruleset in /etc/rc.d/rc.firewall-2.4 works: ... To allow automatic loading at startup I create the file firewall-2.4 in ... # If your Linux distribution came with a copy of iptables, ... However after the boot no firewall has been loaded. ...
    (linux.redhat)
  • Re: Re Post No Answer before. Need Help Re: Startup items
    ... "Sonic", updates from HP, updates for Real Audio, updates ... go into msconfig and then the startup menu and uncheck programs. ... > Windows is not the only product you likely have on your PC. ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.newusers)
  • Re: Windows Firewall
    ... does not work try disabling startup items. ... ipsec service or Windows Firewall service if you are not running SP2.. ... The router could be the problem if it is blocking ...
    (microsoft.public.win2000.security)
  • Re: Windows Firewall
    ... Anything related to an "internet security" package would be a start. ... disabling all the startup items first because if that does not fix the ... does not work try disabling startup items. ... ipsec service or Windows Firewall service if you are not running SP2.. ...
    (microsoft.public.win2000.security)
  • Re: Windows Firewall
    ... So you are saying that when you use msconfig in selective startup and you ... does not work try disabling startup items. ... ipsec service or Windows Firewall service if you are not running SP2.. ...
    (microsoft.public.win2000.security)