Date: Mon, 17 Jul 2006 14:21:28 +0200 From: "Simon L. Nielsen" <simon@nitro.dk> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <20060717122127.GC1087@zaphod.nitro.dk> In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > The "hole" being discussed is the time, during boot, before pf is fully > functional with the production ruleset. For a comparatively long time, > the pf module isn't even loaded yet. The time after module load and > enabling pf with the production ruleset is much smaller. >=20 > So, you first need to check the boot sequence for >=20 > - interfaces being brought up before pf is loaded > - addresses assigned to those interfaces > - daemons starting and listening on those addresses > - route table getting set up > - IP forwarding getting enabled > - etc. Since nobody else seems to have actually done this, I took a look at FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really see a hole. Most importantly pf is enabled before routing. Personally I would still like a default to deny knob, but that's mainly to handle the case of an invalid ruleset which causes pf to be left open. Yes, this is only a problem when the admin screws up, but it happens... (I have been looking at a rc.conf know which would only enable routing/forwarding if pf was properly enabled with a configured ruleset, but I haven't gotten around to finishing that.) # rcorder -s nostart /etc/rc.d/* /etc/rc.d/dumpon /etc/rc.d/initrandom /etc/rc.d/geli /etc/rc.d/gbde /etc/rc.d/encswap /etc/rc.d/ccd /etc/rc.d/swap1 /etc/rc.d/mdconfig /etc/rc.d/ramdisk /etc/rc.d/early.sh /etc/rc.d/fsck /etc/rc.d/root /etc/rc.d/mountcritlocal /etc/rc.d/var /etc/rc.d/cleanvar /etc/rc.d/random /etc/rc.d/adjkerntz /etc/rc.d/atm1 /etc/rc.d/hostname /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/kldxref /etc/rc.d/sppp /etc/rc.d/addswap /etc/rc.d/sysctl /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/devd /etc/rc.d/ipsec /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/routing [...] --=20 Simon L. Nielsen --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEu4DHh9pcDSc1mlERAihWAJ9+tEkPYzYys9h1aZ/WsH9+zj/BOQCfeXDb PvhBgOI2Ufu/uFawHrW8spg= =k7Oi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060717122127.GC1087>