Re: pf options in kernel
- In reply to: Juraj Lutter : "Re: pf options in kernel"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Nov 2022 23:13:05 UTC
On 2022-11-15 13:02, Juraj Lutter wrote: >> On 15 Nov 2022, at 21:53, Chris <bsd-lists@bsdforge.com> wrote: >> >> On 2022-11-15 12:47, void wrote: >>> Hi, >>> Is there any advantage to having >>> device pf >>> options PF_DEFAULT_TO_DROP >>> built into the kernel, over having >>> "set block-policy drop" in /etc/pf.conf and "pf_enable="YES"" in >>> /etc/rc.conf?0 >> >> six of one, or a half dozen of the other. IOW no, not really. :-) > > The difference is that when pf is being enabled in rc.conf, there is a time > window when the > system is “unprotected”, while when pf is built into kernel with > PF_DEFAULT_TO_DROP, > the system is not exposed to, potentially, hostile network environment (as > the rules > are loaded as part of rc sequence, but you must explicitly allow traffic). Your "window of vulnerability" is limited to when the (your) network comes active. Loading pf(4) and its rules ahead of that will greatly mitigate any potential problem. I have servers with both "in conf" && "in kernel" option that are always under heavy attack. The difference is almost imperceptible. The convenience with using the out-of-kernel option, is that I don't require rebuilding/installing a kernel to make any changes. --chris > > otis > > — > Juraj Lutter > otis@FreeBSD.org