Date: Sat, 15 Sep 2012 00:39:57 +0300 From: Kimmo Paasiala <kpaasial@gmail.com> To: Damien Fleuriot <ml@my.gd> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Patch for adding "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <CA%2B7WWSdf3Yo-jeYwd1OtnmNHfCDzvJ2MRKfZzY8H6B_rgoN2aw@mail.gmail.com> In-Reply-To: <A12FE8E6-673D-47AE-A541-7892BFE2AAFB@my.gd> References: <CA%2Bq%2BTcqL1e=SLa7fUXpCa5Lpospj0F=%2BcfLnAjWDwHFVFxjAMw@mail.gmail.com> <A12FE8E6-673D-47AE-A541-7892BFE2AAFB@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 14, 2012 at 7:51 PM, Damien Fleuriot <ml@my.gd> wrote: > > On 13 Sep 2012, at 23:26, Olivier Cochard-Labb=C3=A9 <olivier@cochard.me>= wrote: > >> Hi, >> here is a little patch (tested on FreeBSD 9.1-RC1) that add a new >> option to the kernel configuration file: >> options PF_DEFAULT_TO_DROP >> >> Without this option, with an empty pf.conf: All traffic are permit. >> With this option enabled, with an empty pf.conf: All traffic are >> dropped by default. >> >> If the attached file is removed, you can found the patch here: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D171622 >> >> Regards, >> >> Olivier >> <freebsd.pf_drop.patch> > > > Is there any point to this ? > > I mean, PF has to be enabled manually anyway, so it's not like it adds an= y kind of default security. > Worse, it could lock careless people out. > > > People able to use this (read: who can rebuild a kernel) likely are intel= ligent enough to cobble up a default block rule for their pf.conf._________= ______________________________________ If you must do this then please consider adding a /boot/loader.conf setting instead of kernel configuration option. The option could be read only on running system or dependent on securelevel(7). -Kimmo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B7WWSdf3Yo-jeYwd1OtnmNHfCDzvJ2MRKfZzY8H6B_rgoN2aw>