Is a 'PF default to block' setting outside pf.conf a desirable feature?

Over in the comp.unix.bsd.freebsd.misc news group, there's a discussion about what happens when PF loads, specifically a perceived 'window of opportunity' for an attacker in the interval between PF getting enabled and the rule set loading, and what happens if the rule set you load at boot time is a

Re: Problems with stalling sessions

On Tuesday 08 November 2005 15.30, Jon Hart wrote: > On Tue, Nov 08, 2005 at 01:39:21AM +0100, Per-Olov Sjöholm wrote: > > Hi > > > > I have a redundant firewall with CARP. 3.6 STABLE plus all patches from > > CVS for stable (updated last week). The firewalls have 7 nic ports each. > > External, in

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On 9 Nov 2005 at 9:57, Peter N. M. Hansteen wrote: > Over in the comp.unix.bsd.freebsd.misc news group, there's a > discussion about what happens when PF loads, specifically a perceived > 'window of opportunity' for an attacker in the interval between PF > getting enabled and the rule set loading,

pf security - is pf failsafe if config file invalid?

Hi, I've been directed here from a FreeBSD newsgroup about this question. I've checked the archives, but found nothing relevant. Background: I'm upgrading to FreeBSD 6.0-release and want to move from ipf to pf to get the extra flexibility pf offers. However, I have concerns about the security o

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On Wed, Nov 09, 2005 at 09:57:08AM +0100, Peter N. M. Hansteen wrote: > Over in the comp.unix.bsd.freebsd.misc news group, there's a > discussion about what happens when PF loads, specifically a perceived > 'window of opportunity' for an attacker in the interval between PF > getting enabled and the

Re: pf security - is pf failsafe if config file invalid?

On Wed, Nov 09, 2005 at 11:41:27AM -, mike scott wrote: > Background: I'm upgrading to FreeBSD 6.0-release and want to move from > ipf to pf to get the extra flexibility pf offers. welcome! :) > However, I have concerns about the security of pf at system startup and > when the config file

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

Jon Hart <[EMAIL PROTECTED]> writes: > Unless I'm being completely mislead, this feature is already in place > with OpenBSD. See /etc/rc. Now that you mention it, it does look like the good people who ported PF over to FreeBSD did not bring with them all of the PF related bits from OpenBSD's /

Re: Is a 'PF default to block' setting outside pf.conf a desirable feature?

On 11/09/2005 02:57:08 AM, Peter N. M. Hansteen wrote: Over in the comp.unix.bsd.freebsd.misc news group, there's a discussion about what happens when PF loads, specifically a perceived 'window of opportunity' for an attacker in the interval between PF getting enabled and the rule set loading, a