d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Provide kernel compile time option to make pf(4) default rule to drop.

Browse Source 
This is important to secure a small timeframe at boot time, when
network is already configured, but pf(4) is not yet.

PR:		kern/171622
Submitted by:	Olivier Cochard-LabbИ <olivier cochard.me>
This commit is contained in:
Gleb Smirnoff 2012-09-18 11:07:19 +00:00
parent 1d6139c0e4
commit 7f7ef494f1
4 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
share/man/man4/pf.4
View File

@ -28,7 +28,7 @@
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd June 29 2012 .Dd September 18 2012
.Dt PF 4 .Dt PF 4
.Os .Os
.Sh NAME .Sh NAME
@ -36,6 +36,7 @@
.Nd packet filter .Nd packet filter
.Sh SYNOPSIS .Sh SYNOPSIS
.Cd "device pf" .Cd "device pf"
.Cd "options PF_DEFAULT_TO_DROP"
.Sh DESCRIPTION .Sh DESCRIPTION
Packet filtering takes place in the kernel. Packet filtering takes place in the kernel.
A pseudo-device, A pseudo-device,
@ -94,6 +95,15 @@ Read only
.Xr sysctl 8 .Xr sysctl 8
variables with matching names are provided to obtain current values variables with matching names are provided to obtain current values
at runtime. at runtime.
.Sh KERNEL OPTIONS
The following options in the kernel configuration file are related to
.Nm
operation:
.Pp
.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
.It Dv PF_DEFAULT_TO_DROP
Change default policy to drop by default
.El
.Sh IOCTL INTERFACE .Sh IOCTL INTERFACE
.Nm .Nm
supports the following supports the following

3
sys/conf/NOTES
View File

@ -918,6 +918,8 @@ device lagg
# packets without touching the TTL). This can be useful to hide firewalls # packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools. # from traceroute and similar tools.
# #
# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything.
#
# TCPDEBUG enables code which keeps traces of the TCP state machine # TCPDEBUG enables code which keeps traces of the TCP state machine
# for sockets with the SO_DEBUG option set, which can then be examined # for sockets with the SO_DEBUG option set, which can then be examined
# using the trpt(8) utility. # using the trpt(8) utility.
@ -937,6 +939,7 @@ options IPFILTER_LOG #ipfilter logging
options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_LOOKUP #ipfilter pools
options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPSTEALTH #support for stealth forwarding options IPSTEALTH #support for stealth forwarding
options PF_DEFAULT_TO_DROP #drop everything by default
options TCPDEBUG options TCPDEBUG
options RADIX_MPATH options RADIX_MPATH

1
sys/conf/options
View File

@ -430,6 +430,7 @@ NCP
NETATALK opt_atalk.h NETATALK opt_atalk.h
NFSLOCKD NFSLOCKD
PCBGROUP opt_pcbgroup.h PCBGROUP opt_pcbgroup.h
PF_DEFAULT_TO_DROP opt_pf.h
RADIX_MPATH opt_mpath.h RADIX_MPATH opt_mpath.h
ROUTETABLES opt_route.h ROUTETABLES opt_route.h
SLIP_IFF_OPTS opt_slip.h SLIP_IFF_OPTS opt_slip.h

4
sys/netpfil/pf/pf_ioctl.c
View File

@ -216,7 +216,11 @@ pfattach(void)
/* default rule should never be garbage collected */ /* default rule should never be garbage collected */
V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
#ifdef PF_DEFAULT_TO_DROP
V_pf_default_rule.action = PF_DROP;
#else
V_pf_default_rule.action = PF_PASS; V_pf_default_rule.action = PF_PASS;
#endif
V_pf_default_rule.nr = -1; V_pf_default_rule.nr = -1;
V_pf_default_rule.rtableid = -1; V_pf_default_rule.rtableid = -1;