[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?

On Tue, 15 Nov 2005 15:32:11 -0000
"mike scott" <[email protected]> wrote:
> And if, for any reason whatsoever, pfctl fails to run? The system 
> remains wide open.
Becasue that happens a lot....
Oh come on now, this is a fringe case if there ever was one.
What if your default block kernel has a bug that causes it to pass all
under some obscure circumstance?
> It can't be rocket science to make the 'pass' a 'block' in which case 
> everything is entirely watertight in the event of virtually /any/ 
> system fault bar kernel corruption. And it can't be too much harder to 
> make this a compiled-in option, which would keep happy the paranoid, 
> while allowing those who want remote log-in on failure to do so.
If you exit /etc/rc the way Daniel said there wont be any sshd running and thus
no possability for remote log-in. You'll be left with a box that does nothing
but answer ping's.
Lars Hansson