On Tue, Nov 15, 2005 at 03:32:11PM -0000, mike scott wrote: > > if [ "X${pf}" != X"NO" ]; then > > RULES="block all" > > RULES="$RULES\npass on lo0" > .... > > echo $RULES | pfctl -f - -e > > fi > > > And if, for any reason whatsoever, pfctl fails to run? The system > remains wide open.
It's worse than you suspect. If the pfctl binary is corrupt or missing and fails to run, pf won't ever get enabled at all. Forget about the fact that an empty ruleset means a default-pass policy. That's irrelevant, all packets will pass because pf simply isn't filtering at all in that case ;) However, feel free to do this: echo $RULES | pfctl -f - -e || shutdown -h And if you're worried about a corrupted shutdown binary failing, exit the rc script. At this point, no local daemons are started and the kernel isn't forwarding IP because sysctl.conf hasn't been read yet. And you can't seriously consider using a packet filter that loads as kernel module, either. What if the kernel module file gets lost? The system fails open. Daniel