[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is a 'PF default to block' setting outside pf.conf a desirablefeature?

On Wed, 9 Nov 2005, Peter N. M. Hansteen wrote:

Jon Hart <[email protected]> writes:

Unless I'm being completely mislead, this feature is already in place
with OpenBSD.  See /etc/rc.

Now that you mention it, it does look like the good people who ported PF over to FreeBSD did not bring with them all of the PF related bits from OpenBSD's /etc/rc. The minimal default rule set AFAICS is the smart solution to the problem.

And the important thing to note is that this ruleset is applied before any interfaces are activated. No active interfaces == no packets making it to the kernel.