Date: Mon, 17 Jul 2006 11:13:43 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <200607171113.54110.max@love2party.net> In-Reply-To: <86hd1ghc3i.fsf@tuha.clef.at> References: <44B7715E.8050906@suutari.iki.fi> <20060717023700.GF3240@insomnia.benzedrine.cx> <86hd1ghc3i.fsf@tuha.clef.at>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart9370727.r2jcNg7TsT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [Replying to the latest message available] Okay, now this is getting pretty pointless. It started out pretty promissi= ng=20 with an attempt to really investigate into a problem that might exist with= =20 the way we boot up pf. No-one has yet provided evidence that it does exist= ,=20 though. What Daniel and others have suggested is, that interested parties= =20 look at the boot process closely, identify possible windows of vulnarabilit= y=20 and propose a *proper* fix in form of reorder of the boot process, an early= =20 pf_boot or something else. As more and more people are screaming for rope to hang themself with, I am= =20 going to provide it. As we have established, the "fix" is a three line=20 change in pf_ioctl.c and otherwise non-intrusive. You will of course have = to=20 rewrite your rulesets if you have a default to block policy, but since you= =20 care about security, that's a little price to pay - right? I would love to see somebody[tm] *really* looking into the boot process and= =20 come up with a sollution if we do have a problem there. Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of=20 cool-off time, if people then still think it's a good idea then, I'll commi= t=20 it. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9370727.r2jcNg7TsT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3 9ST0ZlzZM2H/4vW0C4V1CX4= =anvo -----END PGP SIGNATURE----- --nextPart9370727.r2jcNg7TsT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607171113.54110.max>