Re: pf options in kernel
- In reply to: void : "Re: pf options in kernel"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 16 Nov 2022 11:40:03 UTC
On 16 Nov 2022, at 1:58, void wrote: > On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote: >> Configure this in your pf.conf file, not as a kernel option. >> >> There’s at least one known bug with PF_DEFAULT_TO_DROP: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477 > > Thanks, noted. > >> As a general rule you should avoid custom kernel options whenever it’s remotely possible. > > I've always thought having a kernel trimmed to only what is required, from a security standpoint, diminishes the attack surface. Is this not the case? > No, you just end up running a unique configuration not tested by anyone else. The defaults are the defaults for a reason. Only deviate from them if you understand both why the default is what it is and why it doesn’t work for your use case. Kristof