Any ongoing effort to port /etc/rc.d/pf_boot,
/etc/pf.boot.conf from NetBSD ?
Daniel Hartmeier
daniel at benzedrine.cx
Mon Jul 17 02:37:14 UTC 2006
On Mon, Jul 17, 2006 at 01:36:01AM +0300, Giorgos Keramidas wrote:
> I haven't verified that this is the _only_ change needed to make PF
> block everything by default, but having it as a compile-time option
> which defaults to block everything would be nice, right?
Sure, when FreeBSD's default becomes to compile pf into the kernel or load
it by BTX, that makes sense. Otherwise it doesn't.
This is not about a style pet-peeve that some people have. There is no
common case where users forget to add a default block rule when they
intend to have one. Real production rulesets contain not just one but
several explicit block rules (generating replies for only certain
blocks, logging only certain blocks, etc.).
The only technical reason for this is in a specific case like DES
brought up. If you load pf as module and enable it half way through the
rc.d startup sequence, there's no need for it that I can see. It doesn't
plug the boot-time hole, if there is one.
Daniel
More information about the freebsd-pf
mailing list