Re: pf options in kernel

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 15 Nov 2022 21:00:48 UTC
On 15 Nov 2022, at 21:47, void wrote:
> Is there any advantage to having
> device pf
> options PF_DEFAULT_TO_DROP
>
> built into the kernel, over having
>
> "set block-policy drop" in /etc/pf.conf and "pf_enable="YES"" in /etc/rc.conf?0
>
Configure this in your pf.conf file, not as a kernel option.

There’s at least one known bug with PF_DEFAULT_TO_DROP: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477

As a general rule you should avoid custom kernel options whenever it’s remotely possible.

Kristof