Date: Sun, 16 Jul 2006 23:17:14 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <44BA9ECA.6090607@suutari.iki.fi> In-Reply-To: <20060716191732.GD3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <44BA8A95.10300@suutari.iki.fi> <20060716191732.GD3240@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Daniel Hartmeier wrote:
> You claimed there was a hole. If you can't explain what it consists of
> ("thing X might get exposed prior to rc.d/pf due to the following
> sequence of events..."),
On FreeBSD 6.1, run rcorder /etc/rc.d/*. You'll notice that
pf is run after netif so if one is using only pf as firewall,
there is a window between run of "netif" and "pf" where network
interfaces are up but there is no firewall loaded. Adding
pf_boot, which runs before "netif" would fix this, woudn't it ?
Please correct me if I'm wrong here (that would be nice since
then there wouldn't be any problem at all).
> blindly sticking in pf_boot at some convenient
> place in the boot order is not guaranteed to solve more than it can
> break.
I don't think I have been talking about blindly sticking pf_boot
into boot order. I would only like to be sure that there *is* no
hole. I have been suggesting about using pf_boot because it
seeems to be the approach used in other bsds (well, I must admit
that I didn't check how OpenBSD does it, but I know that there
is somekind of boot-time ruleset there). I assumed that since
the pf_boot solution is there possible problems with it had been
ironed out on other bsds.
Even Windows XP has boot-time firewall protection today - we
don't want to be worse than them, do we :-)
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BA9ECA.6090607>