On Sat, Jul 15, 2006 at 09:26:02AM -0500, Travis H. wrote: > On the FreeBSD pf list someone mentioned that they wanted the ability > to have a "default deny" policy with pf, like the old ipf kernel > option.
FreeBSD is free to add this option, if they'd like. > That reminded me that I thought the same thing when I started > with pf. I know, I know, it's not a terribly useful setup until the > pass rules get loaded, but by enforcing "default deny" in both pf and > in the rules, you're less likely to forget it in one place or the > other. And yes, I'm aware that it is enabled in /etc/rc before > /etc/netstart is even called. We're not particularly interested in making this change on OpenBSD. http://www.benzedrine.cx/pf/msg07442.html If a user has the power to flush a ruleset (an operation that shouldn't generally take place during regular firewall operations) they can just as easily load a "pass all" ruleset. Root can do stupid things which compromise security. Obfuscation or needles complexity in an attempt to protect yourself from the root account will only make your system less secure. > BTW, the ruleset loaded in /etc/rc could use "set skip" on lo0, and > quick rules, Because the /etc/rc ruleset is only temporary, and quite small, I don't see the point in making performance-related changes to it (particularly performance-related changes that one would have a hard time measuring the effects of) > and make some allowance for DHCP. DHCP uses bpf(4), and is unaffected by pf rulesets.
