[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is a 'PF default to block' setting outside pf.conf a desirablefeature?

Over in the comp.unix.bsd.freebsd.misc news group, there's a
discussion about what happens when PF loads, specifically a perceived
'window of opportunity' for an attacker in the interval between PF
getting enabled and the rule set loading, and what happens if the rule
set you load at boot time is an empty or invalid rule set.
On FreeBSD, it is possible to compile your kernel with options to make
'block all' the default in absence of a rule set. This apparently works
for all the other firewall systems supported by FreeBSD, but not PF.
You should not be surprised to learn that there are people who feel that
this feature, described as 'booting to a safe state regardless of
failure or success of ruleset load' is a necessary feature of 'any
firewall worthy of the name'.  I'm trying to make up my mind whether
some way to set PF to 'block all' default outside of the rule set itself
is a desirable feature.  For a bit of context, the thread in question
starts at <[email protected]>
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"