Date: Tue, 13 Feb 2007 21:37:13 -0800 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Max Laier" <max@love2party.net> Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <fee88ee40702132137q6abef8beu80c7813fcd27eaad@mail.gmail.com> In-Reply-To: <200702132226.40415.max@love2party.net> References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <Pine.NEB.4.64.0702131407110.815@glacier.reedmedia.net> <200702132226.40415.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 2/13/07, Max Laier <max@love2party.net> wrote:
>
> Does anyone have time to get something like this going for FreeBSD as
> well?
I tested out some solutions. I'm not sure if this is what you guys were
looking to do, but NetBSD's solution seems fine. I'm not thrilled about
using another rc-script to solve this issue, but I couldn't think of a
simpler/more elegant solution.
Diff is against CURRENT, and I don't currently have any boxes running
CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT
later to test other patches.
I couldn't decide what to pass in this initial ruleset. Passing SSH seems
safe/smart, but surely not everyone will agree.
Sorry if this is way off :)
--
Kian Mohageri
[-- Attachment #2 --]
diff -ruN etc/defaults/Makefile etc.new/defaults/Makefile
--- etc/defaults/Makefile Fri Dec 9 07:19:31 2005
+++ etc.new/defaults/Makefile Tue Feb 13 20:08:25 2007
@@ -1,6 +1,6 @@
# $FreeBSD: src/etc/defaults/Makefile,v 1.7 2005/12/09 15:19:31 ru Exp $
-FILES= bluetooth.device.conf devfs.rules pccard.conf periodic.conf rc.conf
+FILES= bluetooth.device.conf devfs.rules pccard.conf periodic.conf pf.early.conf rc.conf
NO_OBJ=
FILESDIR= /etc/defaults
diff -ruN etc/defaults/pf.early.conf etc.new/defaults/pf.early.conf
--- etc/defaults/pf.early.conf Wed Dec 31 16:00:00 1969
+++ etc.new/defaults/pf.early.conf Tue Feb 13 20:08:01 2007
@@ -0,0 +1,22 @@
+# $FreeBSD: src/etc/defaults/pf.early.conf$
+
+# Default deny
+block all
+
+# Don't filter loopback interface(s)
+set skip on lo
+
+# Allow incoming SSH
+pass in proto tcp from any to any port ssh keep state
+
+# Allow outgoing DNS, needed by pfctl to resolve any FQDNs
+pass out proto { tcp, udp } from any to any port 53 keep state
+
+# Allow outgoing ping
+pass out inet proto icmp all icmp-type echoreq keep state
+
+# Allow IPv6 router/neighbor solicitation and advertisement
+pass out inet6 proto icmp6 all icmp6-type neighbrsol
+pass in inet6 proto icmp6 all icmp6-type neighbradv
+pass out inet6 proto icmp6 all icmp6-type routersol
+pass in inet6 proto icmp6 all icmp6-type routeradv
diff -ruN etc/defaults/rc.conf etc.new/defaults/rc.conf
--- etc/defaults/rc.conf Fri Feb 9 04:11:27 2007
+++ etc.new/defaults/rc.conf Tue Feb 13 20:36:29 2007
@@ -145,6 +145,10 @@
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
+pf_early_enable="YES" # Load minimal ruleset when pf_enable="YES"
+ # before routing is enabled, after which the
+ # real ruleset will be loaded
+pf_early_rules="/etc/defaults/pf.early.conf" # Default minimal ruleset
pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
diff -ruN etc/rc.d/Makefile etc.new/rc.d/Makefile
--- etc/rc.d/Makefile Sun Oct 15 07:19:06 2006
+++ etc.new/rc.d/Makefile Tue Feb 13 20:42:09 2007
@@ -27,7 +27,7 @@
network_ipv6 newsyslog nfsclient nfsd \
nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
othermta \
- pf pflog pfsync \
+ pf pf_early pflog pfsync \
powerd power_profile ppp pppoed pwcheck \
quota \
random rarpd resolv root \
diff -ruN etc/rc.d/pf etc.new/rc.d/pf
--- etc/rc.d/pf Sun Dec 31 02:37:18 2006
+++ etc.new/rc.d/pf Tue Feb 13 20:09:33 2007
@@ -4,8 +4,7 @@
#
# PROVIDE: pf
-# REQUIRE: root mountcritlocal netif pflog pfsync
-# BEFORE: routing
+# REQUIRE: root mountcritlocal netif pflog pfsync pf_early
# KEYWORD: nojail
. /etc/rc.subr
diff -ruN etc/rc.d/pf_early etc.new/rc.d/pf_early
--- etc/rc.d/pf_early Wed Dec 31 16:00:00 1969
+++ etc.new/rc.d/pf_early Tue Feb 13 20:35:18 2007
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# $FreeBSD: src/etc/rc.d/pf_early,v 1.7.2.4 2006/01/22 13:45:28 yar Exp $
+#
+
+# PROVIDE: pf_early
+# REQUIRE: root mountcritlocal netif pflog pfsync
+# BEFORE: routing
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="pf_early"
+rcvar=`set_rcvar`
+load_rc_config $name
+start_cmd="pf_early_start"
+stop_cmd=":"
+required_files="$pf_early_rules"
+required_modules="pf"
+
+pf_early_start()
+{
+ echo "Enabling minimal pf ruleset."
+ $pf_program -Fall > /dev/null 2>&1
+ $pf_program -f "$pf_early_rules"
+ if ! $pf_program -s info | grep -q "Enabled" ; then
+ $pf_program -e
+ fi
+}
+
+# Don't do anything unless pf_enable="YES"
+if checkyesno pf_enable; then
+ run_rc_command "$1"
+fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40702132137q6abef8beu80c7813fcd27eaad>