Re: pf "default deny" compile-time option?
On Tue, 18 Jul 2006, Can Erkin Acar wrote: > On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote: > > On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote: > > >Root can do stupid things which compromise security. Obfuscation or > > >needles complexity in an attempt to protect yourself from the root > > >account will only make your system less secure. > > > > If every ruleset needs to put a rule in to default to blocking > > packets, then that's needless complexity to me. > > No, needless complexity is a compile time option that makes it > impossible to know whether a given installation needs the block rule > or not. I'd just prefer that deny-all was the default and not an option at all. Mismatches between pfctl and the kernel happen on -current from time to time, and I think being locked out is better than falling back to permit all... -d
Re: pf "default deny" compile-time option?
On 7/18/06, Can Erkin Acar <[EMAIL PROTECTED]> wrote: No, needless complexity is a compile time option that makes it impossible to know whether a given installation needs the block rule or not. Good point. packets are sent using bpf(4) so ruleset does not really matter. Every day a school day! -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Re: pf "default deny" compile-time option?
On Sun, Jul 16, 2006 at 07:02:00PM -0500, Travis H. wrote: > On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote: > >Root can do stupid things which compromise security. Obfuscation or > >needles complexity in an attempt to protect yourself from the root > >account will only make your system less secure. > > If every ruleset needs to put a rule in to default to blocking > packets, then that's needless complexity to me. No, needless complexity is a compile time option that makes it impossible to know whether a given installation needs the block rule or not. > >Because the /etc/rc ruleset is only temporary, and quite small, I don't > >see the point in making performance-related changes to it (particularly > >performance-related changes that one would have a hard time measuring > >the effects of) > > I doubt it could hurt. > > >> and make some allowance for DHCP. > >DHCP uses bpf(4), and is unaffected by pf rulesets. > > Ah, learn something new every day. > > I suppose the outbound packets are passed by the ruleset, so it makes > no difference that they have a SRC IP of 0.0.0.0... packets are sent using bpf(4) so ruleset does not really matter. Can
