From nobody Fri Jun 04 10:06:15 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 644C413A6438; Fri, 4 Jun 2021 10:06:26 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from smtp2.servers.tyknet.dk (smtp2.servers.tyknet.dk [89.233.43.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FxJM54RHnz4mFv; Fri, 4 Jun 2021 10:06:25 +0000 (UTC) (envelope-from thomas@gibfest.dk) To: pf@freebsd.org, stable@freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp2.servers.tyknet.dk 9EB2316611 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1622801176; bh=4Nk1WN6egRJ1dZPgTKaMZkEp4B5x95Wj175xK5UkH+I=; h=To:From:Subject:Date; b=OthRgWAXYfmybJqGUnz1lxxPToMpZ9W3bCa5+ZbRQwQu191FXEXuayApP2msK4hFT jed+eHYhlzNfOF9UBxGfr4BezU5RKyEUfH7E6SBZ9Nnoo4izjV8tdO0JDu9JUmBmmA 7TizwsUX0TG83TEcL3sMmfwK1/I6yw73hqpK8kkJ/wczYuyOyhvuJlJLWNmjqvZ9BK 2xE3UCyyGDI/WnnvVO9e9JJZGpB48Z14Jgut2asoqhSmndJas7oTmCDgtUAsdYz86G 9Mtm56Xeq4Dt9VDpUz9K3BcVOZ51Kgt4c9iBrWpXTFZl5Gkq1yJpESJCqOVAeJqKe7 0npPRIpXRa2YQ== Subject: New pf_default_rules option and patch Message-ID: <4ed0ba0c-74d8-003d-86c4-c6265118d600@gibfest.dk> Date: Fri, 4 Jun 2021 12:06:15 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FxJM54RHnz4mFv X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gibfest.dk header.s=default header.b=OthRgWAX; dmarc=pass (policy=reject) header.from=gibfest.dk; spf=pass (mx1.freebsd.org: domain of thomas@gibfest.dk designates 89.233.43.78 as permitted sender) smtp.mailfrom=thomas@gibfest.dk X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gibfest.dk:s=default]; FREEFALL_USER(0.00)[thomas]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[89.233.43.78:from:127.0.2.255]; DKIM_TRACE(0.00)[gibfest.dk:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gibfest.dk,reject]; NEURAL_HAM_SHORT(-1.00)[-0.997]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[89.233.43.78:from]; ASN(0.00)[asn:3308, ipnet:89.233.0.0/18, country:SE]; MID_RHS_MATCH_FROM(0.00)[]; MAILMAN_DEST(0.00)[pf,stable] Reply-To: thomas@gibfest.dk From: Thomas Steen Rasmussen via pf X-Original-From: Thomas Steen Rasmussen X-ThisMailContainsUnwantedMimeParts: N Hello pf@ and stable@, I opened a bug with a patch to support loading $pf_default_rules - which defaults to "block drop log all" - in case loading pf.conf fails during boot. This is to avoid having 0 rules loaded. The default is to have the new feature disabled, keeping the existing behaviout. The bug and patch and more info can be seen at [1]. Questions welcome, here or in the bug. Best regards, Thomas Steen Rasmussen [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256410