Re: dis/advantages of compiling in-kernel over kldload

On 12 Jul 2023, at 21:03, void wrote:
> Hello Kristof,
>
> On Wed, Jul 12, 2023 at 08:38:35PM +0200, Kristof Provost wrote:
>
>> I strongly recommend that people stick with the GENERIC config, and ideally just use the builds the project releases.
>
> I disagree. I think people need to look carefully at their own contexts.
> What you're suggesting removes a configurable layer of the
> security onion. It's not like we have OpenBSD's KARL. I find it hard to
> see how using identical configs across systems benefits anyone apart from
> either an attacker, or tech support.

I’m not suggesting that you’re not allowed to deviate from the default kernel config. I’m saying that it’s risky, and that I’m going to be less interested in the bugs you run into.

>> For example, PF_DEFAULT_TO_DROP is know to be broken in at least some scenarios:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477
>
> Would you not agree though, that if one didn't try, then no progress could be made?
>
Sure, if you’re interested in finding bugs that’s one thing you can do. You’re also likely to be allowed to fix them yourself.

> What I'd like to acheive is the following:
>
> If pf fails to load its ruleset, allow ssh from only this safe IP range and block everything else.
>
Look at pf_fallback_rules in /etc/defaults/rc.conf

Best regards,
Kristof