Thanks to all for the comments on this issue.
Although several people have come up with alternative approaches, I
still feel very much that the basic situation remains that pf is 'open'
until something happens to close the firewall; and that while there
won't /normally/ be a problem,
On Mon, 2005-11-07 at 10:45 +0100, Joel CARNAT wrote:
Hi,
On my firewall (not bridge), all accepted incoming requests to my hosted
services are allowed with 'flags S/SA modulate state'. As my firewall is
a NAT router, I thought I might use 'synproxy' rather than 'modulate
state'. Because my
On Mon, 14 Nov 2005, mike scott wrote:
I accept that this may not be an issue for some; for my own part,
although I would /very/ much like to use the extra flexibility pf
offers compared with the alternatives, nevertheless, I view this
startup issue as a fundamental and fatal flaw. I shall
On Tue, 15 Nov 2005 17:11:25 +1100 (EST)
Damien Miller [EMAIL PROTECTED] wrote:
Why is setting a block all before any interfaces are configured up not
sufficient?
IIRC, he's using it on freebsd and the freebsd /etc/rc doesnt do the default
block all rules.
---
Lars Hansson
On Wed, 9 Nov 2005, Peter N. M. Hansteen wrote:
Jon Hart [EMAIL PROTECTED] writes:
Unless I'm being completely mislead, this feature is already in place
with OpenBSD. See /etc/rc.
Now that you mention it, it does look like the good people who ported PF
over to FreeBSD did not bring with
Damien Miller [EMAIL PROTECTED] writes:
Why is setting a block all before any interfaces are configured up
not sufficient?
The original poster's problem is that it looks like the rc scripts on
FreeBSD do not include the PF initialization code which does that.
Probably not terribly hard to fix
Damien Miller [EMAIL PROTECTED] writes:
And the important thing to note is that this ruleset is applied before
any interfaces are activated. No active interfaces == no packets
making it to the kernel.
Yes, my point exactly. I probably did not write it that well, since OP
went off
Lots of things in the startup scripts will fail to work or hang
indefinitely if you block outbound stuff. I find it necessary to
allow at least outbound DNS in order for the machine to boot in
reasonable time. Fortunately pf is pretty good about allowing
outbound but not allowing inbound