Patch for adding "options PF_DEFAULT_TO_DROP" to kernel
configuration file
Olivier Cochard-Labbé
olivier at cochard.me
Fri Sep 14 05:40:27 UTC 2012
On Fri, Sep 14, 2012 at 12:19 AM, Andreas Rudisch <cyb. at gmx.net> wrote:
> I really do not think that such a patch is needed. A simple 'block all'
> in pf.conf will do the same, so why add code and recompile the kernel?
>
Hi Andrea,
Some pf users have strong security policy, and :
1. If there is an error in the pf.conf (bad syntax, empty file, or
other thing), the security policy impose to block all traffic by
default.
2. Or during the startup process there is a time laps between the
moment when forwarding is enabled, and before finishing to load very
big pf.conf, all traffic are permit: They don't want this behavior.
But I didn't tested my patch regarding this special case.
> Also if you are setting up a remote server you probably do not want to
> _not_ be able to access it.
>
This kind of user prefers to lock their firewall (they have serial
console access as backup) and all traffic passing throught than
creating security incident.
And we allready have this options in the kernel configuration:
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFILTER_DEFAULT_BLOCK #block all packets by default
Why not, for homogeneity, adding the same options for PF ?
Regards,
Olivier
More information about the freebsd-pf
mailing list