Re: kernel settings for pf default block

2006-07-05 Thread Henning Brauer 
* c.s.r.c.murthy <[EMAIL PROTECTED]> [2006-07-05 07:25]:
>   "block all" in pf.conf is ok, but it will go away when the rules are 
> flushed for known/unknown reasons. I feel it is desirable to have a 
> kernel parameter that does default blocking when all rules are flushed.

then certainly you want the patch below, to protect the ruleset beeing 
replaced by
  pass all
for known/unknown reasons.

Index: pf.c
===
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.512
diff -u -p -r1.512 pf.c
--- pf.c17 May 2006 14:50:47 -  1.512
+++ pf.c5 Jul 2006 11:16:05 -
@@ -5847,6 +5847,8 @@ pf_test(int dir, struct ifnet *ifp, stru
struct pf_pdesc  pd;
int  off, dirndx, pqid = 0;
 
+   return (PF_DROP);
+
if (!pf_status.running)
return (PF_PASS);
 
@@ -6175,6 +6177,8 @@ pf_test6(int dir, struct ifnet *ifp, str
struct pf_ruleset   *ruleset = NULL;
struct pf_pdesc  pd;
int  off, terminal = 0, dirndx;
+
+   return (PF_DROP);
 
if (!pf_status.running)
return (PF_PASS);


-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: kernel settings for pf default block

2006-07-05 Thread Ryan McBride 
On Wed, Jul 05, 2006 at 02:36:44AM -0400, Nick Guenther wrote:
> #pftcl -f all && echo "block all" | pfctl -f -
> then the switch over to the new ruleset is pretty snappy and hardly
> enough time for any malicious packets to get through.

Flushing the ruleset is totally unneccessary when loading a new ruleset.
Simply do:

# pfctl -f /etc/pf.conf

If there is some kind of error in your new ruleset, nothing changes -
you're still running with your old ruleset. There is no window with no
firewall rules unless you explicitly ask for it.


Even with a default block policy in the kernel, what if you load a pass
all ruleset for "known/unknown" reasons? The fact is that if you're
root, you can do stupid things. Get used to it, and grant access
appropriately.

Re: kernel settings for pf default block

2006-07-05 Thread Janne Johansson 

c.s.r.c.murthy wrote:

Hello Matthew,
	"block all" in pf.conf is ok, but it will go away when the rules are 
flushed for known/unknown reasons. I feel it is desirable to have a 
kernel parameter that does default blocking when all rules are flushed.


But the default blocking will "go away when the kernel parameters are 
flushed for known/unknown reasons" too. Perhaps a setting for the 
network drivers so that if the pf.conf goes, and the kernel parameter 
are lost it can still block packets. But hey, if the setting goes away

Re: kernel settings for pf default block

2006-07-04 Thread Nick Guenther 

On 7/5/06, Lars Hansson <[EMAIL PROTECTED]> wrote:

On Thursday 06 July 2006 01:35, c.s.r.c.murthy wrote:
> "block all" in pf.conf is ok, but it will go away when the rules are
> flushed for known/unknown reasons. I feel it is desirable to have a
> kernel parameter that does default blocking when all rules are flushed.

The developers think otherwise:
http://www.benzedrine.cx/pf/msg07442.html


That thread is the result of FreeBSD being lazy in their porting
(because /etc/rc wasn't changed to set up a default 'block all' on
boot before bringing up the network) so it's not directly applicable
to this "rules are flushed" case.

However, why the hell would you ever randomly flush your rules "for
unknown reasons"? You shouldn't be giving people you can't trust not
to do that the ability to do that. As for "known reasons", it's your
own fault if you flush your rules without reloading at least a "block
all". If you just do something like
#pftcl -f all && echo "block all" | pfctl -f -
then the switch over to the new ruleset is pretty snappy and hardly
enough time for any malicious packets to get through.
It shouldn't even be an issue since you shouldn't be testing rules on
a production system anyway, or if you are and you are paranoid then
you can simply 1) take down interfaces before working on pf 2) turn
off routing.

-Nick

Re: kernel settings for pf default block

2006-07-04 Thread Ryan McBride 
On Wed, Jul 05, 2006 at 10:35:15AM -0700, c.s.r.c.murthy wrote:
>   "block all" in pf.conf is ok, but it will go away when the rules are 
> flushed for known/unknown reasons. I feel it is desirable to have a 
> kernel parameter that does default blocking when all rules are flushed.

A patch is available to do this:

http://www.benzedrine.cx/pf/msg07452.html

Re: kernel settings for pf default block

2006-07-04 Thread Lars Hansson 
On Thursday 06 July 2006 01:35, c.s.r.c.murthy wrote:
>I feel it is desirable to have a
> kernel parameter that does default blocking when all rules are flushed.

The developers think otherwise:
http://www.benzedrine.cx/pf/msg07442.html

---
Lars Hansson

Re: kernel settings for pf default block

2006-07-04 Thread c.s.r.c.murthy 
Hello Matthew,
"block all" in pf.conf is ok, but it will go away when the rules are 
flushed for known/unknown reasons. I feel it is desirable to have a 
kernel parameter that does default blocking when all rules are flushed.

murthy

Matthew R. Dempsky wrote:

> On Mon, Jul 03, 2006 at 05:30:21PM -0700, c.s.r.c.murthy wrote:
> 
>>This seems to be widely discussed problem in openbsd pf. There is no 
>>kernel parameter that makes the pf to block all packets by default.
> 
> 
> Is something wrong with just putting ``block all'' in pf.conf?

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of murthy.3064DEFANGED-vcf]

Re: kernel settings for pf default block

2006-07-04 Thread Joachim Schipper 
On Tue, Jul 04, 2006 at 12:12:45PM -0700, c.s.r.c.murthy wrote:
> Hello Joachim,
>   Sorry I could not get on internet the answer from Alexey. Can you 
> please give the URL for this. Also please confirm that there is no 
> kernel parameter to make pf  block everything by default.

This has been confirmed three times now, so I'll let that go.

On a side note, this is a mailing list, not a web forum. There is a web
archive, however, at
.
(And in many, many other places.)

Joachim

Re: kernel settings for pf default block

2006-07-04 Thread Nick Guenther 

On 7/4/06, c.s.r.c.murthy <[EMAIL PROTECTED]> wrote:


Joachim Schipper wrote:

> On Mon, Jul 03, 2006 at 05:30:44PM -0700, c.s.r.c.murthy wrote:
>
>>Hi,
>>This seems to be widely discussed problem in openbsd pf. There is no
>>kernel parameter that makes the pf to block all packets by default. I
>>have searched on the internet and found some discussion taken place in
>>2005 regarding this. The discussion concludes no such parameter in
>>kernel. Are there any changes done in openbsd latest to have a kernel
>>configurable parameter to make pf block packets by default?
>
>
> Alexey already answered this, why do you repost it?
>
>   Joachim



Hello Joachim,
Sorry I could not get on internet the answer from Alexey. Can you
please give the URL for this. Also please confirm that there is no
kernel parameter to make pf  block everything by default.

Thanks in advance
murthy


Always reassuring when an organization like the Bhabha Atomic Research
Centre of India apparently can't do their own research.

Also, don't top-post dammit.

-Nick

Re: kernel settings for pf default block

2006-07-04 Thread Matthew R. Dempsky 
On Tue, Jul 04, 2006 at 12:12:22PM -0700, c.s.r.c.murthy wrote:
> Also please confirm that there is no kernel parameter to make pf  
> block everything by default.

Yes, there is no kernel parameter to make pf block everything by 
default.  You make pf block everything by default by putting ``block 
all'' at the appropriate place in your pf.conf file.

This is spelt out for you in the pf.conf(5) man page:

 To block everything by default and only pass packets that match 
 explicit rules, one uses

   block all

 as the first filter rule.

Re: kernel settings for pf default block

2006-07-03 Thread c.s.r.c.murthy 
Hello Joachim,
Sorry I could not get on internet the answer from Alexey. Can you 
please give the URL for this. Also please confirm that there is no 
kernel parameter to make pf  block everything by default.

Thanks in advance
murthy

Joachim Schipper wrote:

> On Mon, Jul 03, 2006 at 05:30:44PM -0700, c.s.r.c.murthy wrote:
> 
>>Hi,
>>This seems to be widely discussed problem in openbsd pf. There is no 
>>kernel parameter that makes the pf to block all packets by default. I 
>>have searched on the internet and found some discussion taken place in 
>>2005 regarding this. The discussion concludes no such parameter in 
>>kernel. Are there any changes done in openbsd latest to have a kernel 
>>configurable parameter to make pf block packets by default?
> 
> 
> Alexey already answered this, why do you repost it?
> 
>   Joachim

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of murthy.4807DEFANGED-vcf]

Re: kernel settings for pf default block

2006-07-03 Thread Joachim Schipper 
On Mon, Jul 03, 2006 at 05:30:44PM -0700, c.s.r.c.murthy wrote:
> Hi,
> This seems to be widely discussed problem in openbsd pf. There is no 
> kernel parameter that makes the pf to block all packets by default. I 
> have searched on the internet and found some discussion taken place in 
> 2005 regarding this. The discussion concludes no such parameter in 
> kernel. Are there any changes done in openbsd latest to have a kernel 
> configurable parameter to make pf block packets by default?

Alexey already answered this, why do you repost it?

Joachim

kernel settings for pf default block

2006-07-03 Thread Alexey E. Suslikov 
> This seems to be widely discussed problem in openbsd pf. There is no
> kernel parameter that makes the pf to block all packets by default. I
> have searched on the internet and found some discussion taken place in
> 2005 regarding this. The discussion concludes no such parameter in
> kernel. Are there any changes done in openbsd latest to have a kernel
> configurable parameter to make pf block packets by default?

use siteXX.tgz to customize install/upgrade process
as you need including "block all" in /etc/pf.conf.

see http://www.openbsd.org/faq/faq4.html#site

kernel settings for pf default block

2006-07-03 Thread c.s.r.c.murthy 
Hi,
This seems to be widely discussed problem in openbsd pf. There is no 
kernel parameter that makes the pf to block all packets by default. I 
have searched on the internet and found some discussion taken place in 
2005 regarding this. The discussion concludes no such parameter in 
kernel. Are there any changes done in openbsd latest to have a kernel 
configurable parameter to make pf block packets by default?

thanks in advance

murthy

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of murthy.20019DEFANGED-vcf]