From nobody Wed Nov 16 00:58:51 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBl6l41zjz4fq2k for ; Wed, 16 Nov 2022 00:58:55 +0000 (UTC) (envelope-from void@f-m.fm) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBl6k45wxz3mfq for ; Wed, 16 Nov 2022 00:58:54 +0000 (UTC) (envelope-from void@f-m.fm) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=f-m.fm header.s=fm1 header.b="x jI+LRr"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=M03yekMc; spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.26 as permitted sender) smtp.mailfrom=void@f-m.fm; dmarc=pass (policy=none) header.from=f-m.fm Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id E14C45C0223 for ; Tue, 15 Nov 2022 19:58:53 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 15 Nov 2022 19:58:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc :content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1668560333; x= 1668646733; bh=S15iRpWNQyohcUf0GmFXozCobm55DM6royVh17DuGac=; b=x jI+LRr3YUzBP10jtbg/UtgVhkMMKN58oFGImw2HV/pQQ77ux6UT6tDKP2SkqS7NB fVG+huDDdTnpE5TS5FEprbjQkZ/EufnLMg+09/U88Nsanka+mTwlFzh+YEl9ZJZm FL67BzsMMp1x8HKTh9edP5rguAC3laA62NAWIp7GQfOKDKdvVBh8h2rK5x97ikwd wh5o+wUqfPU42vDR3nLh3ETBASh3XA/OvU98vQaD93SGc2njy529S3w1NDmtR24Z Mcc86k0u4aq08e/6E+YNoKePf9UlWWs9MKM0ZkuMapJB8BxN4OeTat7UfFc47ujA 80WjvSzb4wA9vz3HPXM7w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1668560333; x=1668646733; bh=S 15iRpWNQyohcUf0GmFXozCobm55DM6royVh17DuGac=; b=M03yekMcoX7BdkWjm VIhaozt4sRJx7TmUvSOHkQoM7jJdWjjSZOvXMzZGPfmzFQ5AqM8Mw1HfEFfau8s0 tDnaOfOFe7wE/JMc3L+39iEdnxb7humZ0yKimc3e2ooSAYo3FcuStrKVmKHGU+fT r3N9KYPlPlf3vtBIF0prGpga2x0XGBuv0ORe3zjvFjvkdnXVBLTry8I5sTgXIrnQ b/mT2PlTYe0VNRlzvwgP3Pp8cmd81BAucb7NEx9RpEFuIrG2XklBpy0JC9iUcgSm swJKkIJ2mDqUb9KBKkZzjGiGp7+6wm+fosBSYMmMgcg48H90HxfOWyJxW1DYcfa4 jNiPw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrgeehgddvkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesthekre dttddtjeenucfhrhhomhepvhhoihguuceovhhoihgusehfqdhmrdhfmheqnecuggftrfgr thhtvghrnhephfehkeevtddthfelfeefleduhedtgefhhedufeduteeftdfghfefudefhe ejhfejnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepvhhoihgusehfqdhmrdhfmh X-ME-Proxy: Feedback-ID: i2541463c:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 15 Nov 2022 19:58:53 -0500 (EST) Date: Wed, 16 Nov 2022 00:58:51 +0000 From: void To: freebsd-hackers@freebsd.org Subject: Re: pf options in kernel Message-ID: Mail-Followup-To: freebsd-hackers@freebsd.org References: <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org> X-Spamd-Result: default: False [-3.37 / 15.00]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm1,messagingengine.com:s=fm1]; NEURAL_HAM_SHORT(-0.17)[-0.173]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from]; RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.26:from]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; FREEMAIL_FROM(0.00)[f-m.fm]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[f-m.fm]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4NBl6k45wxz3mfq X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote: >Configure this in your pf.conf file, not as a kernel option. > >There’s at least one known bug with PF_DEFAULT_TO_DROP: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477 Thanks, noted. >As a general rule you should avoid custom kernel options whenever it’s >remotely possible. I've always thought having a kernel trimmed to only what is required, from a security standpoint, diminishes the attack surface. Is this not the case? --