[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?

Lots of things in the startup scripts will fail to work or hang
indefinitely if you block outbound stuff.  I find it necessary to
allow at least outbound DNS in order for the machine to boot in
reasonable time.  Fortunately pf is pretty good about allowing
outbound but not allowing inbound connections, even for UDP.
I'm a bit unclear on how pf deals with state though.
1) On UDP keep state rules, do they allow replies from other IPs?  The
DNS spec says that servers can respond from a different IP than the
one they received the query on.
2) For UDP and TCP, does it allow ICMP replies that reference this
connection in the payload?  I seem to recall reading something that
indicated so, but exactly how does it decide?
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B