diff options
author | glebius <glebius@FreeBSD.org> | 2012-09-18 11:07:19 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2012-09-18 11:07:19 +0000 |
commit | df8f63316940a8bb3f78ae2c2ab1aafc1a690204 (patch) | |
tree | 850ca5ee6c126d9d8eeb9a52cd2a3ea035c7201e | |
parent | c3ead4d7df91f96b5c4796a2d0742c691e9bf5cb (diff) | |
download | FreeBSD-src-df8f63316940a8bb3f78ae2c2ab1aafc1a690204.zip FreeBSD-src-df8f63316940a8bb3f78ae2c2ab1aafc1a690204.tar.gz |
Provide kernel compile time option to make pf(4) default rule to drop.
This is important to secure a small timeframe at boot time, when
network is already configured, but pf(4) is not yet.
PR: kern/171622
Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
-rw-r--r-- | share/man/man4/pf.4 | 12 | ||||
-rw-r--r-- | sys/conf/NOTES | 3 | ||||
-rw-r--r-- | sys/conf/options | 1 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 4 |
4 files changed, 19 insertions, 1 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 635078d..f290a9b 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 29 2012 +.Dd September 18 2012 .Dt PF 4 .Os .Sh NAME @@ -36,6 +36,7 @@ .Nd packet filter .Sh SYNOPSIS .Cd "device pf" +.Cd "options PF_DEFAULT_TO_DROP" .Sh DESCRIPTION Packet filtering takes place in the kernel. A pseudo-device, @@ -94,6 +95,15 @@ Read only .Xr sysctl 8 variables with matching names are provided to obtain current values at runtime. +.Sh KERNEL OPTIONS +The following options in the kernel configuration file are related to +.Nm +operation: +.Pp +.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact +.It Dv PF_DEFAULT_TO_DROP +Change default policy to drop by default +.El .Sh IOCTL INTERFACE .Nm supports the following diff --git a/sys/conf/NOTES b/sys/conf/NOTES index ab93a66..6b9d6aa 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -918,6 +918,8 @@ device lagg # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -937,6 +939,7 @@ options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG options RADIX_MPATH diff --git a/sys/conf/options b/sys/conf/options index e574b2e..0ed9ce6 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -430,6 +430,7 @@ NCP NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index d2d580d..b97766c 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -216,7 +216,11 @@ pfattach(void) /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; +#ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; +#else V_pf_default_rule.action = PF_PASS; +#endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; |