From nobody Wed Jul 12 19:03:55 2023
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R1Rwv27lFz2tmJD
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 12 Jul 2023 19:03:59 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4R1Rwt4lw6z3L70
	for <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 19:03:58 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm2 header.b=QMTEm3er;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b="q KGOwbi";
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.27 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id 959A15C00F8
	for <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 15:03:57 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute5.internal (MEProxy); Wed, 12 Jul 2023 15:03:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:sender:subject:subject:to:to; s=fm2; t=
	1689188637; x=1689275037; bh=IsVl0BIsPXMq//j36OWl6biIlGyR18o64gm
	GfJQCKa8=; b=QMTEm3erssudZOThdsdvQAqz2khdGEAdajPEhP0MAsbo3/b6sdX
	GM9uObBHbFK3jLDTeMgI96gWWLz0aEVRNl2CY58uwcBR/spWNUgk338lba9SYqfA
	HzgRNEvIA5y9b1cSq4X6tzWtUwNm7kaRRKGnzxRDf45mfkPhvG7xn0LxQ1kvleos
	2CUMoc7dFphr2isGfOPqNdEIz/WwQuSSU6gKzocproXaJJ2js9IXY9XS46A5vjA7
	DOBsh2P5RcP6i17GuDMIlFODoUFNsaG4E5eq67RQTHjPcCxxfcfdqasPJod79KJS
	55+Uz6vTaSovhLluz77Mhv8lFRVZLizITZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1689188637; x=
	1689275037; bh=IsVl0BIsPXMq//j36OWl6biIlGyR18o64gmGfJQCKa8=; b=q
	KGOwbiCVraZHFlBUKuTkgRxjJ1syQJfk/K7ppO/DVTEVRYXj54ki8V6xKlvkZsS5
	VTjCMfuQ9gmYGbKzY5XW6vNqvzoOe0rh4hdegrAE+jl5W5OHP8QdejXAJZkimj7A
	meXIUsUOwDcWcgS5akArQXKar23S7cL8Bb26tpMydIswep8S8p5xPIZJquwBYYqM
	Jj/UIOnNl1bn6EVv16tRz/Wc7y1tDA51gE9FFUtgRlx6D/vnaqcZQ3G8tbnZr0Of
	yl1avfFSxnZ0QAqsK6ofEWr665eBhipWLAIJN9b5Hsn3Kv9H23qCSzz9IV5OOYnk
	ueAoUFuxMyXzVqJ9KWPBg==
X-ME-Sender: <xms:HfmuZI2c77BxLttmUVTvLA_etAZc-7-61TnpfcOau2pMPBJw1RPmTQ>
    <xme:HfmuZDFynnxE3jy2bv3HqQHitx3KYlP6TmXm2X1_ECyOInn3TRwN7pOHL8eV9Mpsc
    WEO6sZxmSRmwd6dJQ>
X-ME-Received: <xmr:HfmuZA79miTD_vc75jOh3QN-663LmmJ6Ug5VRKMRWBPtD71OvMzTq5HsuaaLPyVVty2z>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrfedvgddufedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggugfgjsehtke
    ertddttdejnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffr
    rghtthgvrhhnpefhheekvedttdfhleeffeeludehtdeghfehudefudetfedtgffhfedufe
    ehjefhjeenucffohhmrghinhepfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhi
    iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvohhiugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:HfmuZB2_I4cC0iQZn8GZaPUHsYR5UHr5H7Trpb5R9_vOXwDGYgZ83w>
    <xmx:HfmuZLEx7Djetvw_VW0d8QSqNQWb_2pST37gEhlYn2lcaDJcnCNclw>
    <xmx:HfmuZK_KSD8CV8c3-JzWdjnGHvgVu8lvHPm_ab679oeUoKh8IIgYSQ>
    <xmx:HfmuZCxaMtmwuYh4ibRpm4AnVDTUvY-HuYxOp_f5eAo6Ys8L9ICyEQ>
Feedback-ID: i2541463c:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 15:03:56 -0400 (EDT)
Date: Wed, 12 Jul 2023 20:03:55 +0100
From: void <void@f-m.fm>
To: freebsd-hackers@freebsd.org
Subject: Re: dis/advantages of compiling in-kernel over kldload
Message-ID: <ZK75GyQCxE1YzEav@int21h>
Mail-Followup-To: freebsd-hackers@freebsd.org
References: <ZK7mnohS12eEYoV2@int21h>
 <F94E719F-C1BE-48C4-882D-AF42E3350ACB@FreeBSD.org>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F94E719F-C1BE-48C4-882D-AF42E3350ACB@FreeBSD.org>
X-Spamd-Result: default: False [-4.43 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	NEURAL_HAM_MEDIUM(-0.83)[-0.835];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	MID_RHS_NOT_FQDN(0.50)[];
	R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm2,messagingengine.com:s=fm2];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.27:from];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US];
	RCVD_COUNT_THREE(0.00)[4];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4R1Rwt4lw6z3L70
X-Spamd-Bar: ----
X-ThisMailContainsUnwantedMimeParts: N

Hello Kristof,

On Wed, Jul 12, 2023 at 08:38:35PM +0200, Kristof Provost wrote:

>I strongly recommend that people stick with the GENERIC config, 
>and ideally just use the builds the project releases.

I disagree. I think people need to look carefully at their own contexts.
What you're suggesting removes a configurable layer of the
security onion. It's not like we have OpenBSD's KARL. I find it hard to
see how using identical configs across systems benefits anyone apart from
either an attacker, or tech support.

>Any deviation from that means you’re running a configuration that’s less 
>tested than the default.

That's fine. If I report a problem I'll make sure to use a generic 
config to debug beforehand.

>There may be good reasons to do so, but know that our warranty policy is “If you break it you get to keep all of the pieces”.

I wasn't aware of any warranty policy at all :D

>For example, PF_DEFAULT_TO_DROP is know to be broken in at least some scenarios: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477

Would you not agree though, that if one didn't try, then no progress could be made?

What I'd like to acheive is the following:

If pf fails to load its ruleset, allow ssh from only this safe IP range 
and block everything else.
--