On 15 Nov 2005 at 8:58, Peter N. M. Hansteen wrote:
..
> The OpenBSD /etc/rc has this code to initialize PF before any
interfaces
> are up:
>
> if [ "X${pf}" != X"NO" ]; then
> RULES="block all"
> RULES="$RULES\npass on lo0"
....
> echo $RULES | pfctl -f - -e
> fi
>
And if, for any reason whatsoever, pfctl fails to run? The system
remains wide open.
Yes, that would be an entirely abnormal circumstance. But I have for
example had one freebsd crash ever(!); but this caused minor disk
corruption losing a strange set of files. It could have been pfctl
among them. It seems to me that a firewall needs to be designed to fail
safe as far as is possible.
I'm no kernel code writer. But surely, somewhere in the depths of the
pf code there's currently a decision made rather like:
if( got rules )
obey rules
else
pass packet.
It can't be rocket science to make the 'pass' a 'block' in which case
everything is entirely watertight in the event of virtually /any/
system fault bar kernel corruption. And it can't be too much harder to
make this a compiled-in option, which would keep happy the paranoid,
while allowing those who want remote log-in on failure to do so.
Sorry to labour the point; maybe I'm a lone voice, but I'm a lone voice
that feels very strongly about this issue.
--
various incoming sites blocked because of spam; see
http://www.scottsonline.org.uk for a list and openpgp crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[EMAIL PROTECTED] Mike Scott, Harlow, Essex, England
