Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: "Simon L. Nielsen" <simon@xxxxxxxx>
- Date: Mon, 17 Jul 2006 14:21:28 +0200
On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote:
The "hole" being discussed is the time, during boot, before pf is fully
functional with the production ruleset. For a comparatively long time,
the pf module isn't even loaded yet. The time after module load and
enabling pf with the production ruleset is much smaller.
So, you first need to check the boot sequence for
- interfaces being brought up before pf is loaded
- addresses assigned to those interfaces
- daemons starting and listening on those addresses
- route table getting set up
- IP forwarding getting enabled
- etc.
Since nobody else seems to have actually done this, I took a look at
FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
see a hole. Most importantly pf is enabled before routing.
Personally I would still like a default to deny knob, but that's
mainly to handle the case of an invalid ruleset which causes pf to be
left open. Yes, this is only a problem when the admin screws up, but
it happens...
(I have been looking at a rc.conf know which would only enable
routing/forwarding if pf was properly enabled with a configured
ruleset, but I haven't gotten around to finishing that.)
# rcorder -s nostart /etc/rc.d/*
/etc/rc.d/dumpon
/etc/rc.d/initrandom
/etc/rc.d/geli
/etc/rc.d/gbde
/etc/rc.d/encswap
/etc/rc.d/ccd
/etc/rc.d/swap1
/etc/rc.d/mdconfig
/etc/rc.d/ramdisk
/etc/rc.d/early.sh
/etc/rc.d/fsck
/etc/rc.d/root
/etc/rc.d/mountcritlocal
/etc/rc.d/var
/etc/rc.d/cleanvar
/etc/rc.d/random
/etc/rc.d/adjkerntz
/etc/rc.d/atm1
/etc/rc.d/hostname
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/kldxref
/etc/rc.d/sppp
/etc/rc.d/addswap
/etc/rc.d/sysctl
/etc/rc.d/serial
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/ipsec
/etc/rc.d/isdnd
/etc/rc.d/ppp
/etc/rc.d/ipfw
/etc/rc.d/nsswitch
/etc/rc.d/ip6addrctl
/etc/rc.d/atm2
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/routing
[...]
--
Simon L. Nielsen
Attachment:
pgp9g7Wt90Q18.pgp
Description: PGP signature
- Follow-Ups:
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: Harald Muehlboeck
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: Travis H.
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: Ari Suutari
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- References:
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: Ari Suutari
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- From: Daniel Hartmeier
- Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- Prev by Date: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- Next by Date: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- Previous by thread: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- Next by thread: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
- Index(es):
