From nobody Wed Jul 12 20:08:02 2023 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R1TLs1HtPz4mlJZ for ; Wed, 12 Jul 2023 20:08:05 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R1TLr6h38z3pCW; Wed, 12 Jul 2023 20:08:04 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689192484; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S3DZO27QJcAkLZR/pfNL8yMO7bDMWb/JKBQdvP5Il2A=; b=AVONkuPoe0I+sI0KiWxzG161XKaZiz55o1XVqHiYFx4RnqzRRQ/5q3MonwD8jG+0RtNvz8 8OVZP1djFuU+0+yL0SvfmcXqiAllHv+vUkKGCfyn/qh8bLfPStqaq5+gdHI/QpdAZKqarD R9bFsB4+90vAA6luU8oMPU+yAFix0+VukXBu2auh2xzcgEJPrdEdg/dXF4awhs6YcfrX6j OO1DcoJjnTES94e3LdfyG3j+uxJbeeWaS4rXgJmUzvtZmh99HNjbfec9PmEcQKcHhG1uN3 vkOcnzHM0Go7P3isi5DPadyLWrnTm4ouErxkQ6v7w9w9Yme/ztWHKNrBGsynRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689192484; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S3DZO27QJcAkLZR/pfNL8yMO7bDMWb/JKBQdvP5Il2A=; b=o2938MKe0Gp62GI5Z6qQ9T6iqJY+URKmAJPZVoo4PEKTBUzfMIahG8bMT+h8ymkofXQhJQ nP8isdzlJiI6eZYggATI/S+So1sy15DZzPcAseCsIx2dk8AQBZE12ynLd5IhPX4/AkNUfN fW5rbUdG1n+hA8jt74xC9T9J5x4hMpY3A8DCDDq+uMkiabQFWYjaLh4iPWy71KBigdoiE5 r+mW1eHWgXj3LIcKvRk8QMOaVFhVv7gKn0scxQqwFExaNneKPvliCbiMxGR5nUmQktah8N 2RdtkErqa0JsuGtHKbe8+d9d1Z0InMDQ1polzXIgKop9bdIbhbxwHJMxavA+8Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689192484; a=rsa-sha256; cv=none; b=gDIPpbxmFdUpi5wrSdDaAevdaRyAnhsRNy+OxXYx9KYniLuXS3wqIDRB34v9o2aClOTgmJ XAS355m4mJBflkG88+QBZ312bZLNaF1++hEmvOJa91GaRbNhNfNtsEpiOQPtcqIrwqNHjW pgiS6v+ynhmHDGFBJsAyzeKFwHwcDh5EegC1Sj64OidatnTqA8bVTwFq3Vwa4udQbndns8 NGfIK1q2R+DiplK5Bv+jfjQ8l5jl8F0J/552/8W26hLTcZ86IgdUj2n8KHDb2RBWgh+Smy Ns3B3bZuXjkX5rp+/9Epa4YNm7Kn2MUlA1Vki6+Ej9vaXMFrQ3hOn9whXOEVYA== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4R1TLr52nxz11x5; Wed, 12 Jul 2023 20:08:04 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 40ED34F6BA; Wed, 12 Jul 2023 22:08:03 +0200 (CEST) From: Kristof Provost To: void Cc: freebsd-hackers@freebsd.org Subject: Re: dis/advantages of compiling in-kernel over kldload Date: Wed, 12 Jul 2023 22:08:02 +0200 X-Mailer: MailMate (1.14r5937) Message-ID: <8E73D0C1-11A1-4767-9FE6-8C0DEB494B5A@FreeBSD.org> In-Reply-To: References: List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ThisMailContainsUnwantedMimeParts: N On 12 Jul 2023, at 21:03, void wrote: > Hello Kristof, > > On Wed, Jul 12, 2023 at 08:38:35PM +0200, Kristof Provost wrote: > >> I strongly recommend that people stick with the GENERIC config, and id= eally just use the builds the project releases. > > I disagree. I think people need to look carefully at their own contexts= =2E > What you're suggesting removes a configurable layer of the > security onion. It's not like we have OpenBSD's KARL. I find it hard to= > see how using identical configs across systems benefits anyone apart fr= om > either an attacker, or tech support. I=E2=80=99m not suggesting that you=E2=80=99re not allowed to deviate fro= m the default kernel config. I=E2=80=99m saying that it=E2=80=99s risky, = and that I=E2=80=99m going to be less interested in the bugs you run into= =2E >> For example, PF_DEFAULT_TO_DROP is know to be broken in at least some = scenarios: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237477 > > Would you not agree though, that if one didn't try, then no progress co= uld be made? > Sure, if you=E2=80=99re interested in finding bugs that=E2=80=99s one thi= ng you can do. You=E2=80=99re also likely to be allowed to fix them yours= elf. > What I'd like to acheive is the following: > > If pf fails to load its ruleset, allow ssh from only this safe IP range= and block everything else. > Look at pf_fallback_rules in /etc/defaults/rc.conf Best regards, Kristof