Re: pf options in kernel

From: Chris <bsd-lists_at_bsdforge.com>
Date: Tue, 15 Nov 2022 23:13:05 UTC
On 2022-11-15 13:02, Juraj Lutter wrote:
>> On 15 Nov 2022, at 21:53, Chris <bsd-lists@bsdforge.com> wrote:
>> 
>> On 2022-11-15 12:47, void wrote:
>>> Hi,
>>> Is there any advantage to having
>>> device pf
>>> options PF_DEFAULT_TO_DROP
>>> built into the kernel, over having
>>> "set block-policy drop" in /etc/pf.conf and "pf_enable="YES"" in 
>>> /etc/rc.conf?0
>> 
>> six of one, or a half dozen of the other. IOW no, not really. :-)
> 
> The difference is that when pf is being enabled in rc.conf, there is a time 
> window when the
> system is “unprotected”, while when pf is built into kernel with 
> PF_DEFAULT_TO_DROP,
> the system is not exposed to, potentially, hostile network environment (as 
> the rules
> are loaded as part of rc sequence, but you must explicitly allow traffic).
Your "window of vulnerability" is limited to when the (your) network comes 
active.
Loading pf(4) and its rules ahead of that will greatly mitigate any potential 
problem.

I have servers with both "in conf" && "in kernel" option that are always 
under heavy
attack. The difference is almost imperceptible. The convenience with using 
the
out-of-kernel option, is that I don't require rebuilding/installing a kernel 
to make
any changes.

--chris
> 
> otis
> 
> —
> Juraj Lutter
> otis@FreeBSD.org