On 15 Nov 2005 at 18:40, Daniel Hartmeier wrote: .. > It's worse than you suspect. If the pfctl binary is corrupt or missing > and fails to run, pf won't ever get enabled at all. Forget about the > fact that an empty ruleset means a default-pass policy. That's
I didn't say an /empty/ ruleset. I said /no/ ruleset. It's different. > irrelevant, all packets will pass because pf simply isn't filtering at > all in that case ;) .. > And if you're worried about a corrupted shutdown binary failing, exit > the rc script. At this point, no local daemons are started and the > kernel isn't forwarding IP because sysctl.conf hasn't been read yet. Which doesn't protect the firewall machine itself, if I understand correctly. > And you can't seriously consider using a packet filter that loads as > kernel module, either. What if the kernel module file gets lost? The > system fails open. Not currently an issue, as ipf is statically linked into my kernel, and set to block by default. I believe that's pretty well bomb-proof. I'm not even sure, come to think of it, that /pf/ can be statically linked into the freebsd kernel; I know that's not a pf issue particularly, but is still another nail in the coffin, so to speak, from my perspective. -- various incoming sites blocked because of spam; see http://www.scottsonline.org.uk for a list and openpgp crypto key (key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364) [EMAIL PROTECTED] Mike Scott, Harlow, Essex, England