From owner-freebsd-security@FreeBSD.ORG Mon Jul 17 09:13:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD83016A4DD; Mon, 17 Jul 2006 09:13:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id E372243D6A; Mon, 17 Jul 2006 09:13:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.82] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1G2PAp2XFG-0001sZ; Mon, 17 Jul 2006 11:13:55 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 17 Jul 2006 11:13:43 +0200 User-Agent: KMail/1.9.3 References: <44B7715E.8050906@suutari.iki.fi> <20060717023700.GF3240@insomnia.benzedrine.cx> <86hd1ghc3i.fsf@tuha.clef.at> In-Reply-To: <86hd1ghc3i.fsf@tuha.clef.at> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9370727.r2jcNg7TsT"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200607171113.54110.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Mailman-Approved-At: Mon, 17 Jul 2006 12:01:43 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 09:13:57 -0000 --nextPart9370727.r2jcNg7TsT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [Replying to the latest message available] Okay, now this is getting pretty pointless. It started out pretty promissi= ng=20 with an attempt to really investigate into a problem that might exist with= =20 the way we boot up pf. No-one has yet provided evidence that it does exist= ,=20 though. What Daniel and others have suggested is, that interested parties= =20 look at the boot process closely, identify possible windows of vulnarabilit= y=20 and propose a *proper* fix in form of reorder of the boot process, an early= =20 pf_boot or something else. As more and more people are screaming for rope to hang themself with, I am= =20 going to provide it. As we have established, the "fix" is a three line=20 change in pf_ioctl.c and otherwise non-intrusive. You will of course have = to=20 rewrite your rulesets if you have a default to block policy, but since you= =20 care about security, that's a little price to pay - right? I would love to see somebody[tm] *really* looking into the boot process and= =20 come up with a sollution if we do have a problem there. Otherwise I will post a patch for PF_DEFAULT_BLOCK after a few days of=20 cool-off time, if people then still think it's a good idea then, I'll commi= t=20 it. Thanks. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart9370727.r2jcNg7TsT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBEu1TSXyyEoT62BG0RAqUIAJoDm86oQQDKv89ejblJ4XMU/pwzeQCeKMV3 9ST0ZlzZM2H/4vW0C4V1CX4= =anvo -----END PGP SIGNATURE----- --nextPart9370727.r2jcNg7TsT--