Re: pf options in kernel

From: void <void_at_f-m.fm>
Date: Wed, 16 Nov 2022 00:58:51 UTC
On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote:

>Configure this in your pf.conf file, not as a kernel option.
>
>There’s at least one known bug with PF_DEFAULT_TO_DROP: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477

Thanks, noted.

>As a general rule you should avoid custom kernel options whenever it’s 
>remotely possible.

I've always thought having a kernel trimmed to only what is required, 
from a security standpoint, diminishes the attack surface. Is this not the case?
--