From owner-freebsd-security@FreeBSD.ORG Fri Jul 14 17:47:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4A1916A4DE; Fri, 14 Jul 2006 17:47:39 +0000 (UTC) (envelope-from ari@suutari.iki.fi) Received: from pne-smtpout3-sn1.fre.skanova.net (pne-smtpout3-sn1.fre.skanova.net [81.228.11.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 216FF43D70; Fri, 14 Jul 2006 17:47:38 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from mato.suutari.iki.fi (80.222.160.17) by pne-smtpout3-sn1.fre.skanova.net (7.2.075) id 44A130990008CC95; Fri, 14 Jul 2006 19:47:37 +0200 Received: from [127.0.0.1] (raisa.suutari.iki.fi [192.168.60.100]) by mato.suutari.iki.fi (8.13.6/8.13.6) with ESMTP id k6EHlYp7047998; Fri, 14 Jul 2006 20:47:34 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <44B7D8B8.3090403@suutari.iki.fi> Date: Fri, 14 Jul 2006 20:47:36 +0300 From: Ari Suutari User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-security@freebsd.org References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> In-Reply-To: <20060714154729.GA8616@psconsult.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0628-5, 14.07.2006), Outbound message X-Antivirus-Status: Clean Cc: Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 17:47:39 -0000 Hi, [I have added freebsd-security to recipient list as I consider this issue a security risk] Paul Schenkeveld wrote: > Hello, > > On Fri, Jul 14, 2006 at 01:26:38PM +0300, Ari Suutari wrote: >> Hi, >> >> Does anyone know if there are any plans to bring >> pf boot-time protection (ie. /etc/rc.d/pf_boot and >> related config files) from NetBSD to FreeBSD ? >> >> This would close small (but as far as I understand existing) >> window during boot where firewall is fully open (if using only >> pf). > > I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK > instead of some magic script closing the hole between driver init and > configuration. Always wondered how the OpenBSD -securety minded- people > have come up with a packet filter that's open by default. There has been discussion about this before. I know that perfect solution would be PF_DEFAULT_BLOCK, but while waiting for that I wonder why we cannot have pf_boot, which closes the boot hole (at least when run with proper filter rules). I would suggest: - first port pf_boot which brings us to same level of security as OpenBSD & NetBSD. - then, work with PF authors to get PF_DEFAULT_BLOCK if it still seems necessary. As pf becomes more and more popular on FreeBSD I see current state of system as security risk (ie. I won't use pf + FreeBSD on company firewalls although I would otherwise like to). Ari S.