[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: pf options in kernel
From: Kristof Provost <kp () FreeBSD ! org>
Date: 2022-11-16 11:40:03
Message-ID: AD947839-F5D0-4BFC-B954-E727A27BBC87 () FreeBSD ! org
[Download RAW message or body]
On 16 Nov 2022, at 1:58, void wrote:
> On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote:
> > Configure this in your pf.conf file, not as a kernel option.
> >
> > There's at least one known bug with PF_DEFAULT_TO_DROP:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477
>
> Thanks, noted.
>
> > As a general rule you should avoid custom kernel options whenever it's remotely \
> > possible.
>
> I've always thought having a kernel trimmed to only what is required, from a \
> security standpoint, diminishes the attack surface. Is this not the case?
No, you just end up running a unique configuration not tested by anyone else.
The defaults are the defaults for a reason. Only deviate from them if you understand \
both why the default is what it is and why it doesn't work for your use case.
Kristof
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic