“As seen here,
PF is now enabled by default. The default pf.conf will now pass in all
traffic, except for TCP port 6000 normally used by remote-X11. By having the X server still listen on port 6000 but let PF block incoming packets that aren’t coming from localhost you can still use local X sessions that needs to talk to the TCP port or runs through a port forward from remote, but at the same time don’t expose your machine on the network. Recent changes to PF, like having packet reassembly enabled on all packets by default, will now help clean incoming traffic.”
Considering OpenBSD always prided itself in being the most secure OS with it’s default install (Mainly due to it rejecting everything and having all the services turned off) I find it very weird that it would enable PF to forward ALL incoming connections in by default.
To me, it just seems very weird to go against something they’ve been doing for so long.
I think you’re confusing having most services turned off with having pf on… turning on pf with the default install is new, they still leave most daemons off to have a ‘secure by default’ install.
This doesn’t mean they used to have pf enabled but blocking everything… that wasn’t the case in the past
They always have had the minimal services needed (meaning daemons aren’t listening on ports), which they still do, but with the added benefit of pf being on but allowing all traffic except for the mentioned X tcp port
It isn’t odd. As explained in FAQ:
“OpenBSD attempts to minimize the need for customization and tweaking. For the vast majority of users, OpenBSD “Just Works” on their hardware for their application. Not only is tweaking and customizing rarely needed, it is actively discouraged.”
http://www.openbsd.org/faq/faq1.html
OpenBSD aims to be a general purpose OS, not only for servers, but for desktop or embedded systems too. Of course it can be a “lot more secure” than it is now, but this is not the point. You have to watch your mouth when you talk about what a “secure” OS is.
Yes, services disabled/minimized by default means we don’t have to block any unavailable services.