Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

I'm pretty much in agreement on the necessity to examine startup order, &c.


On 7/16/06, Daniel Hartmeier <daniel@xxxxxxxxxxxxx> wrote:
That would then block all packets on all interfaces, until a ruleset is
loaded. If anything started through the startup scripts needs unblocked
packets (including the production ruleset loading requiring name
resolution over network), you'd need to first load a simpler temporary
ruleset to pass that, and finally replace it with the production

Yes. And it can have other effects, too; for example, squid won't
start up unless DNS is working. And your main firewall ruleset might
have (gasp) DNS names in it... not that
relying on DNS for firewall rules is particularly wise, but it is
certainly much more
manageable, and DNS _can_ be secure for local servers with the right amount of
work. And IPv6 will basically make it effectively mandatory.

And, of course, if the boot sequence for any reason doesn't reach that
point, you can only fix stuff with local access... :)

Another person said:
That is pretty much guaranteed. Murphy will always find a way to f*ck up a
reboot and simultaneously cause the 2611 on the console port to halt and
catch fire.

Tradeoff between security and convenience.

Murphy's law cuts both ways; if you're under an aggressive scan and
happen to have a power blip... or if the attacker can get your
firewall to spontaneously reboot... you have problems. The basic
question is; do you want security or availability? Seems to me this
should be a personal choice, and I think both sides have a point.
Making it a compile-time option or sysctl would solve it, wouldn't it?

I'm not sure the average user _really_ is worried enough about that
half a second period on boot. But I DO know there will be people locking
themselves out from far-away remote hosts (on updates, for instance) if
this becomes the default.

Generally, Unix has provided enough rope for people to hang themselves
(or their servers).

And then he said:
If punters want a default block, IMHO it doesn't get much easier than using
the mac_ifoff(4) kernel option discussed earlier on in the week, they can
tweak the pf startup to twiddle the relevant sysctl appropriately at the
right moment in time.

It's not particularly maintainable to be tweaking startup scripts; the
tweaks have a way of disappearing during upgrades, and I'm not about
to put all of etc under revision control to track one or two changes.
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"