Date: Sun, 16 Jul 2006 21:51:01 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? Message-ID: <44BA8A95.10300@suutari.iki.fi> In-Reply-To: <20060716182315.GC3240@insomnia.benzedrine.cx> References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Daniel Hartmeier wrote: > And to get rid of the "hole", you need to get the order right so there > is nothing being exposed before the pf module is loaded. Once you have > ensured that nothing gets exposed before rc.d/pf is started, it's > trivial to make sure that that script only exits after pf has been > enabled and the production ruleset is in place. Too much tuning on security-related issue. The standard startup sequence should be secure. I really cannot understand what there is so bad on /etc/rc.d/pf_boot that it cannot be added to FreeBSD as NetBSD & OpenBSD use it or something similar. I'm not yelling after default block - others are and use it as a reason not to use something like pf_boot. > I think the chronological placement of rc.d/pf is already meant to > achieve precisely that, have you actually checked the rc.d scripts and > found some order that needs to be adjusted? I could of course adjust my rc.d scripts, but I would very much appreciate that security-related things are there correctly in standard setup. I'll try to port pf_boot myself if nobody else volunteers. (I don't think there is much porting to do, however). Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BA8A95.10300>