git: pfctl - Change default keep-policy to bring more in-line with other BSDs
Matthew Dillon
dillon at crater.dragonflybsd.org
Fri Jun 27 19:09:09 PDT 2014
commit f72d5ff0d8dd6b9afab31a2e1d51d5539bf85b03
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Fri Jun 27 19:05:33 2014 -0700
pfctl - Change default keep-policy to bring more in-line with other BSDs
* Change the default keep-policy to the equivalent of:
set keep-policy keep state (pickups, sloppy)
* This is being done because without keep state PF is simply going to be
too inefficient for any reasonable set of rules, and we no longer want
to make users set the keep-policy line when keep state is already the
default in other BSD systems.
* Note that we also set pickups and sloppy by default. This allows the
router and/or PF to be restarted and allows packet routing to change
mid-stream without causing all active TCP connections to drop. This
may not be the default in other BSD systems but it should be. Being
ultra strict here to improve security against ICMP-based attacks removes
too much flexibility to be appropriate. Proper TCP implementations
already do sequence space checks for RST packets.
Summary of changes:
usr.sbin/pfctl/parse.y | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/f72d5ff0d8dd6b9afab31a2e1d51d5539bf85b03
--
DragonFly BSD source repository
More information about the Commits
mailing list