On Wed, Nov 09, 2005 at 11:41:27AM -0000, mike scott wrote: > Background: I'm upgrading to FreeBSD 6.0-release and want to move from > ipf to pf to get the extra flexibility pf offers.
welcome! :) > However, I have concerns about the security of pf at system startup and > when the config file is unusable. In my present /ipf/ setup, the kernel > itself is configured to block packets by default, so until ipf starts > successfully and unblocks things, the machine (which is the > gateway/firewall to my home LAN) is guaranteed secure. In particular, > if the config file fails to load for any reason, the firewall fails to > a secure mode. > > As far as I can see with pf though, the system is wide open until the > pf config file is loaded successfully. Ordinarily, pf would be started > before any services, so it shouldn't normally matter. But under fault > conditions, and in particular should the pf config file be unusable for > any reason, it seems that my firewall could be wide open, unnoticed, > for an indefinite period. > > Could anyone offer advice please, and perhaps set my mind at rest? > Thanks in advance for any comments. First of all, you have to define "default secure". In your case, you obviously mean "block EVERYTHING", a very plausable definition. HOWEVER... In my case, I have a bunch of machines that are not under my fingertips. If (er..when) I hose my PF configuration, I really don't want to lose the machine until I take a road trip to fix them. Having a machine default to "block all" would really, really suck for those applications. Upgrading remotely is also an issue. Fortunately, PF is very flexible. What you desire is very easily accomplished, IF it is appropriate for your situation. Create a pf.conf file that has just the block all statement. That is what is loaded at boot. NOW, in your startup scripts, load a second rules file, which takes place AFTER the "block all". That way, if your "production" rules fail to load, you are still on full block. (We usually think "PF rules go in pf.conf", but really, pf.conf just happens to be the file we traditionally put them in, because it is loaded by default by the startup process. It is just a text file, any other text file could be attempted to be loaded later.) Just make sure that is really what you want. :) (note: another possible "solution" would be a "pass ssh only" rule in pf.conf, so if something goes wrong, you can still fix it by remote.) But also..ask yourself, does it matter? If PF doesn't load, your home network probably isn't getting out to the network, and the outside world probably isn't coming in (i.e., if the PF rules don't load, NAT is not working, and I'm guessing you are using NAT). I'm assuming your gateway box is moderately secure -- not running insecure apps listening on the network, and you are using GOOD passwords on all accounts on the machine. If not, I'd recommend doing that, first. There are, of course, applications where one would NOT want a "fall open", for example, a horribly insecure application which is using authpf or similar to authenticate individual people to it. But then, make sure you can still manage the system if it fails to "block all" mode. Nick.
