Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

Thanks to all for the comments on this issue. Although several people have come up with alternative approaches, I still feel very much that the basic situation remains that pf is 'open' until something happens to close the firewall; and that while there won't /normally/ be a problem,

Re: when to use synproxy (and when not ;)

On Mon, 2005-11-07 at 10:45 +0100, Joel CARNAT wrote: Hi, On my firewall (not bridge), all accepted incoming requests to my hosted services are allowed with 'flags S/SA modulate state'. As my firewall is a NAT router, I thought I might use 'synproxy' rather than 'modulate state'. Because my

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On Mon, 14 Nov 2005, mike scott wrote: I accept that this may not be an issue for some; for my own part, although I would /very/ much like to use the extra flexibility pf offers compared with the alternatives, nevertheless, I view this startup issue as a fundamental and fatal flaw. I shall

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On Tue, 15 Nov 2005 17:11:25 +1100 (EST) Damien Miller [EMAIL PROTECTED] wrote: Why is setting a block all before any interfaces are configured up not sufficient? IIRC, he's using it on freebsd and the freebsd /etc/rc doesnt do the default block all rules. --- Lars Hansson

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On Wed, 9 Nov 2005, Peter N. M. Hansteen wrote: Jon Hart [EMAIL PROTECTED] writes: Unless I'm being completely mislead, this feature is already in place with OpenBSD. See /etc/rc. Now that you mention it, it does look like the good people who ported PF over to FreeBSD did not bring with

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

Damien Miller [EMAIL PROTECTED] writes: Why is setting a block all before any interfaces are configured up not sufficient? The original poster's problem is that it looks like the rc scripts on FreeBSD do not include the PF initialization code which does that. Probably not terribly hard to fix

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

Damien Miller [EMAIL PROTECTED] writes: And the important thing to note is that this ruleset is applied before any interfaces are activated. No active interfaces == no packets making it to the kernel. Yes, my point exactly. I probably did not write it that well, since OP went off

Re: pf security - is pf failsafe if config file invalid?

Lots of things in the startup scripts will fail to work or hang indefinitely if you block outbound stuff. I find it necessary to allow at least outbound DNS in order for the machine to boot in reasonable time. Fortunately pf is pretty good about allowing outbound but not allowing inbound