Date: Fri, 14 Sep 2012 07:40:05 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: Andreas Rudisch <cyb.@gmx.net> Cc: freebsd-pf@freebsd.org Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <CA%2Bq%2BTcq-T%2BST9DJ7Vp-vA0_1zNWDDct6d%2B0eZE47w1p4xbYTxA@mail.gmail.com> In-Reply-To: <20120914001925.aa5e93bb998052eb16ac773b@gmx.net> References: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com> <20120914001925.aa5e93bb998052eb16ac773b@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 14, 2012 at 12:19 AM, Andreas Rudisch <cyb.@gmx.net> wrote: > I really do not think that such a patch is needed. A simple 'block all' > in pf.conf will do the same, so why add code and recompile the kernel? > Hi Andrea, Some pf users have strong security policy, and : 1. If there is an error in the pf.conf (bad syntax, empty file, or other thing), the security policy impose to block all traffic by default. 2. Or during the startup process there is a time laps between the moment when forwarding is enabled, and before finishing to load very big pf.conf, all traffic are permit: They don't want this behavior. But I didn't tested my patch regarding this special case. > Also if you are setting up a remote server you probably do not want to > _not_ be able to access it. > This kind of user prefers to lock their firewall (they have serial console access as backup) and all traffic passing throught than creating security incident. And we allready have this options in the kernel configuration: options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFILTER_DEFAULT_BLOCK #block all packets by default Why not, for homogeneity, adding the same options for PF ? Regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcq-T%2BST9DJ7Vp-vA0_1zNWDDct6d%2B0eZE47w1p4xbYTxA>