[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: pf options in kernel
From:       Kristof Provost <kp () FreeBSD ! org>
Date:       2022-11-16 11:40:03
Message-ID: AD947839-F5D0-4BFC-B954-E727A27BBC87 () FreeBSD ! org
[Download RAW message or body]

On 16 Nov 2022, at 1:58, void wrote:
> On Tue, Nov 15, 2022 at 10:00:48PM +0100, Kristof Provost wrote:
> > Configure this in your pf.conf file, not as a kernel option.
> > 
> > There's at least one known bug with PF_DEFAULT_TO_DROP:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237477
> 
> Thanks, noted.
> 
> > As a general rule you should avoid custom kernel options whenever it's remotely \
> > possible.
> 
> I've always thought having a kernel trimmed to only what is required, from a \
> security standpoint, diminishes the attack surface. Is this not the case? 
No, you just end up running a unique configuration not tested by anyone else.

The defaults are the defaults for a reason. Only deviate from them if you understand \
both why the default is what it is and why it doesn't work for your use case.

Kristof


[prev in list] [next in list] [prev in thread] [next in thread]