Date: Mon, 17 Jul 2006 01:36:01 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: Dag-Erling Sm?rgrav <des@des.no>, freebsd-pf@freebsd.org, Ari Suutari <ari@suutari.iki.fi>, freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <20060716223601.GA5039@gothmog.pc> In-Reply-To: <20060716214456.GE3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <86y7utgt0o.fsf@xps.des.no> <20060716214456.GE3240@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-07-16 23:44, Daniel Hartmeier <daniel@benzedrine.cx> wrote: >On Sun, Jul 16, 2006 at 11:05:27PM +0200, Dag-Erling Sm?rgrav wrote: >>> Hence, a "default block" switch or compile time option _within_ pf is >>> not going to make any difference. >> >> Sure it will, if pf is compiled into the kernel or loaded by the BTX >> loader. > > Ok, in that case I guess you want to enable pf by default, too. > > I haven't tried it in this mode, but the default block can be achieved > by simply changing sys/contrib/pf/pf_ioctl.c pf_attach() > > - pf_default_rule.action = PF_PASS; > + pf_default_rule.action = PF_DROP; > > bzero(&pf_status, sizeof(pf_status)); > + pf_status.running = 1; If this is the only change needed, then do you think it would be nice to have it as a compile-time option, like IPFW does? Something like this perhaps? options PF_DEFAULT_TO_ACCEPT #allow everything by default I haven't verified that this is the _only_ change needed to make PF block everything by default, but having it as a compile-time option which defaults to block everything would be nice, right?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060716223601.GA5039>