On 15 Nov 2005 at 8:58, Peter N. M. Hansteen wrote: .. > The OpenBSD /etc/rc has this code to initialize PF before any interfaces > are up: > > if [ "X${pf}" != X"NO" ]; then > RULES="block all" > RULES="$RULES\npass on lo0" .... > echo $RULES | pfctl -f - -e > fi > And if, for any reason whatsoever, pfctl fails to run? The system remains wide open.
Yes, that would be an entirely abnormal circumstance. But I have for example had one freebsd crash ever(!); but this caused minor disk corruption losing a strange set of files. It could have been pfctl among them. It seems to me that a firewall needs to be designed to fail safe as far as is possible. I'm no kernel code writer. But surely, somewhere in the depths of the pf code there's currently a decision made rather like: if( got rules ) obey rules else pass packet. It can't be rocket science to make the 'pass' a 'block' in which case everything is entirely watertight in the event of virtually /any/ system fault bar kernel corruption. And it can't be too much harder to make this a compiled-in option, which would keep happy the paranoid, while allowing those who want remote log-in on failure to do so. Sorry to labour the point; maybe I'm a lone voice, but I'm a lone voice that feels very strongly about this issue. -- various incoming sites blocked because of spam; see http://www.scottsonline.org.uk for a list and openpgp crypto key (key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364) [EMAIL PROTECTED] Mike Scott, Harlow, Essex, England