Hi,
Simon L. Nielsen wrote:
Since nobody else seems to have actually done this, I took a look at
FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really
see a hole. Most importantly pf is enabled before routing.
I did this yesterday, but this thread has gotten quite active
so maybe you lost the results. But my findings were same as
yours: pf is enabled before routing which means that the
hole I was afraid of doesn't exist.
Personally I would still like a default to deny knob, but that's
mainly to handle the case of an invalid ruleset which causes pf to be
left open. Yes, this is only a problem when the admin screws up, but
it happens...
Yes, and it might be quite common: some edits ruleset but
leaves it unfinished because other, more high-priority
jobs arrive (from boss...) and the someone other accidentally
reboots your firewall... Default deny (or rc.d/pf_boot) would
help here.
Ari S.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
