Date: Fri, 14 Jul 2006 18:57:38 +0300 From: "Vlad GALU" <vladgalu@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <79722fad0607140857j154002e8r8bc24e24f0867c69@mail.gmail.com> In-Reply-To: <44B7BBDD.8080302@suutari.iki.fi> References: <44B7715E.8050906@suutari.iki.fi> <79722fad0607140413i10a2f5d9pfa0cc4b757e928a8@mail.gmail.com> <44B7BBDD.8080302@suutari.iki.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/14/06, Ari Suutari <ari@suutari.iki.fi> wrote:
> Hi,
>
> Vlad GALU wrote:
> > On 7/14/06, Ari Suutari <ari@suutari.iki.fi> wrote:
> >> Hi,
> >>
> >> Does anyone know if there are any plans to bring
> >> pf boot-time protection (ie. /etc/rc.d/pf_boot and
> >> related config files) from NetBSD to FreeBSD ?
> >>
> >> This would close small (but as far as I understand existing)
> >> window during boot where firewall is fully open (if using only
> >> pf).
> >>
> >
> > See the mac_ifoff(4) manpage. You can disable your interfaces until
> > the system is fully booted.
>
> How well would this work ? I think that idea of pf_boot
> is to disable incoming traffic, but allow certain outgoing
> traffic like dns. If dns doesn't work during startup (don't
> really know about mac_ifoff yet) it will cause problems, for
> example sendmail startup might hang for a while.
It would disable all traffic until the system is up. That
includes outgoing traffic. Basically the problem is that pf, unlike
ipf/ipfw, doesn't have a "block everything by default" option, so the
firewall is open until the ruleset has been loaded. That can be solved
by either adding such an option or by having a "block all" rule
inserted early in the booting process, which would be removed upon
loading the rules from pf.conf. I think (I didn't check) that this is
exactly what the NetBSD script Simon was telling us about does.
>
> Ari S.
>
>
--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79722fad0607140857j154002e8r8bc24e24f0867c69>