PF Preventing "leakage" at boot

J

jef

I'm going through my periodic re-examination of firewalls and packet filtering rules here and am exploring pf as an option for a host that forwards packets.

One issue that can occur with some systems is that the system boots and brings up interfaces with forwarding enabled before the firewall rules are in place. There is some period of time where "inappropriate" forwarding can occur.

net.inet.ip.fw.default_to_accept and the associated kernel config parameter handles this for ipfw and can be managed early in the boot, long before interfaces come up. I didn't seem mention of a similar mechanism when using pf.

What are the reasonable ways to manage the at-boot behavior when using pf?
 
As far as I know you can only do this at compile time by setting options PF_DEFAULT_TO_DROP in the kernel config.
 
jef said:
I'm going through my periodic re-examination of firewalls and packet filtering rules here and am exploring pf as an option for a host that forwards packets.

One issue that can occur with some systems is that the system boots and brings up interfaces with forwarding enabled before the firewall rules are in place. There is some period of time where "inappropriate" forwarding can occur.

net.inet.ip.fw.default_to_accept and the associated kernel config parameter handles this for ipfw and can be managed early in the boot, long before interfaces come up. I didn't seem mention of a similar mechanism when using pf.

What are the reasonable ways to manage the at-boot behavior when using pf?
Click to expand...
If you take a peek at the output of /sbin/rcorder sysctl doesn't update until the very end of the boot process. :p
 
  • Thanks
Reactions: jef
Great hint!

I'll look more carefully at the sequencing and, if needed, setting
Code: 
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
outside of the common /etc/rc.conf and gateway_enable='YES'
 
You must log in or register to reply here.
Back
Top