From nobody Wed Nov 16 11:40:03 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NC1Ld683Zz4hgBQ
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 16 Nov 2022 11:40:09 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NC1Ld57Btz49wC;
	Wed, 16 Nov 2022 11:40:09 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1668598809;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=NiNhrpJQGIBdhgkz3TSmdrJ6sviSXGgNcvcSBkUyeTM=;
	b=DPnu5xhLVTEeH7rxF3najWOfVIIz99N94pDXxcaapjn1ucV7XCB4WTUc5hVRaZqFzn+HxE
	J/u4raFbB3vJWfXspiFq7/lpJx+bSlgE/LCmGHywhgoezUbHo7Yr1h8BgrE1WuZEjdQk8w
	YfeBIRBLePazF/9xCI7m3SwkD5Xy2dHZgM/USNL3dfiUx3aNoYkPMLRmiNQJuHvDq0ES/C
	lsOmEijdMhZFCmfJbfL7Uck4JQQdUpXzSVUTDYB9cYaQFZOuj1teDHaMt67RDU0d8oyWIv
	PbqmGddoBUYeeNwsQoX/2TA2rQu/W4TAytiEnYkgSGDrqIAJ1/abO/+Lzy5Osg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1668598809;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=NiNhrpJQGIBdhgkz3TSmdrJ6sviSXGgNcvcSBkUyeTM=;
	b=C/3Rp18JvBcaurKStF+FQZ25OIASZ+B3efr7Oc73TiATVg+Ypelr8DSu5D63J+WQdGU9nc
	BxyTpLHO4ikB34q0+5MnYGwc1tyZCYBXUskHHj/fqFr4nc3FF2kOZQIMvnscqydf1vZofJ
	sQrPWZzdVUB5aZaZVukSise/AKvK4SO7AOC95Uix4qJF82t12Yi7XtZTGwpiBgVWdul4Bt
	u/tsGSSi5RsShjkzrxYDxoWGfPBVlLM34vihPEipGUMwJFiviiLJ84kWszV7dAO7P+asnZ
	EzSG/bTm08V+cmAE5JZelgaXYcWPtN/oJ/eW9FTNN78oYw1yC0lflJHVCTc1Hg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668598809; a=rsa-sha256; cv=none;
	b=qWYwQW0Qk78UdET7Bz5uTxLxpgFgjdIXdwq5C8S42xdD0szuPUe3BG3heWlB2lVhyd27WK
	Kjw6j31np49SR9xuGfQ9DObAmpXdjIXgIRVvMqAw7x0zYpN8q/HrpVEoatSfh6OjcGctMD
	O1y3tT8A4MmlqDsbA6HZgFteKERpRAMnWXSiQursaw9rDvn8Hko6iRRxhjywz0UTXmZ9k6
	WE9WLwN9Wq7Z525KRQCOww42Yp4hjeC0Sjz3gHNeqp0rqhWMoslPKssrUcRlbTL1wRXu7S
	GTo5Ca5HCEc3zlFuyiZnZ3NVHyE9Go58i9nhTZKlB/U8LgaF1DSPDvHx1Rnz4w==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4NC1Ld3LFhz10q3;
	Wed, 16 Nov 2022 11:40:09 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id 8B22C3E2D8;
	Wed, 16 Nov 2022 12:40:07 +0100 (CET)
From: Kristof Provost <kp@FreeBSD.org>
To: void <void@f-m.fm>
Cc: freebsd-hackers@freebsd.org
Subject: Re: pf options in kernel
Date: Wed, 16 Nov 2022 12:40:03 +0100
X-Mailer: MailMate (1.14r5918)
Message-ID: <AD947839-F5D0-4BFC-B954-E727A27BBC87@FreeBSD.org>
In-Reply-To: <Y3Q1y4GNf3A4xyUQ@openbsd.local>
References: <Y3P69NuvWOhxdmux@openbsd.local>
 <066FCA78-CDC6-4178-AAE1-6F9FD8A665CB@FreeBSD.org>
 <Y3Q1y4GNf3A4xyUQ@openbsd.local>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ThisMailContainsUnwantedMimeParts: N

On 16 Nov 2022, at 1:58, void wrote:
> On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote:
>> Configure this in your pf.conf file, not as a kernel option.
>>
>> There=E2=80=99s at least one known bug with PF_DEFAULT_TO_DROP:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237477
>
> Thanks, noted.
>
>> As a general rule you should avoid custom kernel options whenever it=E2=
=80=99s remotely possible.
>
> I've always thought having a kernel trimmed to only what is required, f=
rom a security standpoint, diminishes the attack surface. Is this not the=
 case?
>
No, you just end up running a unique configuration not tested by anyone e=
lse.

The defaults are the defaults for a reason. Only deviate from them if you=
 understand both why the default is what it is and why it doesn=E2=80=99t=
 work for your use case.

Kristof