On Wed, Feb 05, 2003 at 07:28:24PM +0100, Ed White wrote: > Request to change /etc/pf.conf default permissions from 755 to 600. > > This will prevent local user or webscript attacker to read PF ruleset. > Note that at the moment this is the only way a normal user could gather > information on PF ruleset, infact using pfctl need root permissions to open > /dev/pf.
if you have users and a running http daemon with scripts capable of reading system wide files on your firewall, i think you have bigger problems to worry about. besides, if your ruleset is well written, what harm can seeing it do? i have a good idea, how about an obfuscated pf.conf contest? - jolan
