[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On Tue, Nov 15, 2005 at 05:11:25PM +1100, Damien Miller wrote:
> Why is setting a "block all" before any interfaces are configured up not 
> sufficient?
I guess he recompiles all his kernels with 'options IPFILTER_DEFAULT_BLOCK'
on principle. The principle being that it sounds more secure.
It wasn't enabled by default on OpenBSD. And I've never seen anyone
enable it. Well, maybe except for some heresay from people who shot
themselves in the foot with it.
Believe it or not, we now survived more than four years without that
feature, and noone ever complained (much less called it a 'fatal flaw'),
so you'll have to excuse me for, well, *yawn*.