git: pfctl - Change default keep-policy to bring more in-line with other BSDs

Matthew Dillon dillon at crater.dragonflybsd.org
Fri Jun 27 19:09:09 PDT 2014


commit f72d5ff0d8dd6b9afab31a2e1d51d5539bf85b03
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Fri Jun 27 19:05:33 2014 -0700

    pfctl - Change default keep-policy to bring more in-line with other BSDs
    
    * Change the default keep-policy to the equivalent of:
    
      set keep-policy keep state (pickups, sloppy)
    
    * This is being done because without keep state PF is simply going to be
      too inefficient for any reasonable set of rules, and we no longer want
      to make users set the keep-policy line when keep state is already the
      default in other BSD systems.
    
    * Note that we also set pickups and sloppy by default.  This allows the
      router and/or PF to be restarted and allows packet routing to change
      mid-stream without causing all active TCP connections to drop.  This
      may not be the default in other BSD systems but it should be.  Being
      ultra strict here to improve security against ICMP-based attacks removes
      too much flexibility to be appropriate.  Proper TCP implementations
      already do sequence space checks for RST packets.

Summary of changes:
 usr.sbin/pfctl/parse.y | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/f72d5ff0d8dd6b9afab31a2e1d51d5539bf85b03


-- 
DragonFly BSD source repository



More information about the Commits mailing list