OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
PF enabled by default
Contributed by jj on Fri Jun 5 20:00:19 2009 (GMT)
from the drop-the-evil-bit-packets-too dept.

As seen here, PF is now enabled by default. The default pf.conf will now pass in all traffic, except for TCP port 6000 normally used by remote-X11.

By having the X server still listen on port 6000 but let PF block incoming packets that aren't coming from localhost you can still use local X sessions that needs to talk to the TCP port or runs through a port forward from remote, but at the same time don't expose your machine on the network.

Recent changes to PF, like having packet reassembly enabled on all packets by default, will now help clean incoming traffic.

With all the new code and features of PF in there, and the nice side effects it brings according to henning@ as seen below, it needs wider usage.
CVSROOT:	/cvs
Module name:	src
Changes by:	henning@cvs.openbsd.org	2009/05/31 13:16:16

Modified files:
	etc            : rc.conf 

Log message:
enable pf by default.
turns bombs into flowers, water into beer and eradicts swine flu
[topicpf2]

<< New Ports of The Week (May 25) | Reply | Flattened | Expanded | Call For Donations - various requests >>

Threshold: Help

Related Links
more by jj


  Re: PF enabled by default (mod 0/46)
by Jason Eggleston (68.4.61.243) on Fri Jun 5 22:15:42 2009 (GMT)
  Why not just have X listen on 127.0.0.1?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: PF enabled by default (mod -22/58)
by clvrmnky (69.196.152.39) (clvrmnky.invalid@gmail.com) on Fri Jun 5 22:46:14 2009 (GMT)
  If this had been done last release the "Only ... holes in the default install ..." would have been blown away with that pf DoS.

I hope regression testing is done on PF changes from now on ;)

Well, the whole default install hole report is a bit of a dick-waving exercise anyway.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: PF enabled by default (mod -4/42)
by Anonymous Coward (68.224.90.201) on Sat Jun 6 00:45:45 2009 (GMT)
  cue whining about how pf.conf isn't blocking everything by default in 3..2..1
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: PF enabled by default (mod 12/50)
by Steve Shockley (68.83.96.160) (steve.shockley@shockley.net) on Sat Jun 6 02:34:29 2009 (GMT)
  It's true, I use pf, and I don't have the pig flu.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: PF enabled by default (mod 18/60)
by Anonymous Coward (85.19.213.88) on Sat Jun 6 12:14:12 2009 (GMT)
  So, what does the new pf.conf look like? pass out quick on $cheap_gin?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]