Date: Mon, 24 Jul 2006 11:32:36 +0200 From: Harald Muehlboeck <home@clef.at> To: "Simon L. Nielsen" <simon@nitro.dk> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <86wta3e4az.fsf@tuha.clef.at> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon L. Nielsen <simon@nitro.dk> writes: > On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > >> The "hole" being discussed is the time, during boot, before pf is fully >> functional with the production ruleset. For a comparatively long time, >> the pf module isn't even loaded yet. >> >> So, you first need to check the boot sequence for >> >> - interfaces being brought up before pf is loaded >> - addresses assigned to those interfaces >> - daemons starting and listening on those addresses >> - route table getting set up >> - IP forwarding getting enabled >> - etc. > > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. > # rcorder -s nostart /etc/rc.d/* [...] > /etc/rc.d/ipfilter > [...] > /etc/rc.d/sysctl [...] > /etc/rc.d/pf > /etc/rc.d/routing > [...] But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as well as many other options like bridging, ... (I don't know if it is usual to do so)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wta3e4az.fsf>