Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?

Simon L. Nielsen <simon@xxxxxxxx> writes:
On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote:

The "hole" being discussed is the time, during boot, before pf is fully
functional with the production ruleset. For a comparatively long time,
the pf module isn't even loaded yet.

So, you first need to check the boot sequence for

- interfaces being brought up before pf is loaded
- addresses assigned to those interfaces
- daemons starting and listening on those addresses
- route table getting set up
- IP forwarding getting enabled
- etc.

Since nobody else seems to have actually done this, I took a look at
FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
see a hole. Most importantly pf is enabled before routing.


# rcorder -s nostart /etc/rc.d/*
[...]
/etc/rc.d/ipfilter
[...]
/etc/rc.d/sysctl
[...]
/etc/rc.d/pf
/etc/rc.d/routing
[...]

But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as
well as many other options like bridging, ... (I don't know if it is
usual to do so)

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Data Binding to a object...
    ... I've got it working using the data binding in code... ... I'd like to be able to do the data-binding in the designer.... ... >> So do I read it that I don't need to implement all the interfaces if I ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
    ... The time after module load and ... enabling pf with the production ruleset is much smaller. ... interfaces being brought up before pf is loaded ... Most importantly pf is enabled before routing. ...
    (FreeBSD-Security)