Date: Tue, 17 Jan 2006 13:06:13 -0600 From: Bill Marquette <bill.marquette@gmail.com> To: stephen <dinzdale@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF + PPPoE Message-ID: <55e8a96c0601171106h497a091du91ba3f5ea2465e33@mail.gmail.com> In-Reply-To: <ee918c780601170314q7693c555x1cf01201b0d9f157@mail.gmail.com> References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za> <55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com> <ee918c780601170314q7693c555x1cf01201b0d9f157@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/17/06, stephen <dinzdale@gmail.com> wrote:
> what rudi means to say is, in his rc.conf he has stuck instructions
> for his ppp to start on boot, and for pf to load on boot. problem is
> freebsd creates tun0 when ppp runs for the first time, not when the
> machine boots up, and as his pf.conf refers to tun0, pf won't start if
> it runs before ppp has started as there is no tun0 device and pf bombs
> out saying 'no such device'. (i know cause i had similar issue ;-)
>
> what i did was make a start script in /usr/local/etc/rc.d/ that runs
> ppp, sleeps for 30 seconds (should be more than enough - i use
> telkom's adsl which takes about 10 seconds, and i think my mate's
> iburst connects in less than 30 seconds) and -then- runs pf -f
> /etc/pf.conf
>
> that should do the trick
And yet pf doesn't care about interfaces that don't exist if your
syntax is correct.
# cat f
nat on tun0 from lo0:network to any -> (tun0)
pass in on tun0 from any to (tun0)
# pfctl -f f
# pfctl -sr
pass in on tun0 from any to (tun0)
# ifconfig tun0
ifconfig: interface tun0 does not exist
There's numerous syntax errors in his config - mainly all around not
surrounding interfaces with parens. The following parses and loads
just fine on my box (which has neither tun0 or fxp0). Note that I had
to comment out the set loginterface which can't possibly work if tun0
doesn't exist.
--Bill
#define Macros
ext_if =3D "tun0"
int_if =3D "fxp0"
tcp_services =3D "22"
priv_net =3D "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }"
secure_mail =3D"196.1.1.1"
tech_net =3D"196.1.1.1/24"
admin_mweb =3D"196.1.1.1"
allow_web =3D"{ 196.1.1.1, 196.2.2.2, 196.2.2.2, 196.3.3.3, (tun0) }"
#options
set block-policy return
#set loginterface $ext_if
#Scrubs
scrub in all
#Nat
nat on $ext_if from ($int_if:network) to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 61=
61
#Rules
pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port
6161 keep state
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block log quick inet6 all
#default to deny
block in log all
block out log all
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if proto tcp from any to any flags A/A
block in log quick on $ext_if proto tcp from any to any flags F/SFRA
block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick on $ext_if proto tcp all flags FUP/FUP
#allow loopback
pass quick on lo0 all
#block private networks from inside out
block drop in log quick on $ext_if from $priv_net to any
block drop out log quick on $ext_if from any to $priv_net
#allow interal network out
pass in log on $int_if from ($int_if:network) to any keep state
#VPN out from internal network
pass in log on $int_if proto gre keep state
pass in log on $int_if proto tcp from any to any port 1723 keep state
pass out log on $ext_if proto gre keep state
pass out log on $ext_if proto tcp from any to any port 1723 keep state
#allow admin.mweb.net inside
pass in log on $ext_if proto tcp from $admin_mweb to ($ext_if) port
22 keep state
pass in log on $ext_if proto tcp from $tech_net to ($ext_if) port 22 keep =
state
#allow mweb staff web inside
pass in log on $ext_if proto tcp from $allow_web to ($ext_if) port 80 keep =
state
pass out log on $ext_if from ($int_if:network) to any keep state
#allow from fw to out
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0601171106h497a091du91ba3f5ea2465e33>