On Friday 26 June 2009 06:17:06 Doug Barton wrote: > I have reverted the change that caused pf and ipfw to appear before > netif in the rcorder. While I still feel strongly that it is the > "right thing" to configure the firewalls first, the changes caused too > many problems for too many users, and it's too late in the release > cycle to make a change like this that has significant side effects. > > I would like to strongly encourage those who use pf and ipfw to > consider doing the work required to make this change possible. With > ipfw it's not quite as urgent since by default it does not pass > packets till it is configured. This is not the case with pf, as its > default is wide open until it is configured. It's not a simple problem and I'm not sure we can really come up with a "one-size-fits-all" solution. That does not mean we shouldn't try, though. My idea how this should work is something along the following lines: 1) Very early in the boot (just after the necessary firewall configuration tools are available [NFS-root might be a problem here!]) setup an "initial firewall" configuration. For most users this could be a default (allow dhcp, outgoing DNS, maybe ssh in/out, NFS(???), ...). 2) After setting up the interfaces have the option to start a more involved firewall that is fully user supplied. At this point we should be able to look up DNS (though this is clearly a bad idea from the security PoV unless you have DNSSEC), get interface configurations and maybe even routing information. The latter could be another chicken-egg-problem as we might need a routing daemon active to get this. However, people who really need that should be able to modify the early setup accordingly. It is unclear to me where stage 2 should be located. I would argue that with a reasonable default setup we can easily get away with putting stage 2 at the very end of the start up procedure. If people need early holes in the firewall (e.g. for smbfs, routing daemons, ...) they can place them in the early stage. I would like input about how a very simple "save default" setup could look like. A ruleset for pf or ipfw that allows most of the boot process to complete without opening the host to the outside world, yet. For extra points this ruleset is aware of the rc.conf variables and adjusts accordingly (e.g. opening access to sshd iff it is configured). In addition there might be *one or two* configuration variables for the early stage to open additional ports or to select a default interface. However, the fewer the better. Input greatly appreciated! -- /"\ Best regards, | mlaier_at_freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier_at_EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and NewsReceived on Fri Jun 26 2009 - 07:04:11 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:50 UTC