From owner-freebsd-pf@FreeBSD.ORG  Tue Jan 17 19:06:21 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 92B9D16A41F
	for <freebsd-pf@freebsd.org>; Tue, 17 Jan 2006 19:06:21 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CF4DF43D62
	for <freebsd-pf@freebsd.org>; Tue, 17 Jan 2006 19:06:14 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: by xproxy.gmail.com with SMTP id s9so1107483wxc
	for <freebsd-pf@freebsd.org>; Tue, 17 Jan 2006 11:06:14 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=pk7ly3MZojmGoR5AGHqMaklejxowsF7nkehxQF0SM0ArzdYqu4PITN2aH7YV6vMkFPESyoVLM+OULcf/HBtrkX/BxrsY9QbzyRclFEy+uCIQafAEnswBXo7s42eMEl66IaZE52MOPYKsM3p7AfO606+d6+jaJeLbBvU7oCK9wd4=
Received: by 10.70.111.12 with SMTP id j12mr9574268wxc;
	Tue, 17 Jan 2006 11:06:14 -0800 (PST)
Received: by 10.70.109.8 with HTTP; Tue, 17 Jan 2006 11:06:13 -0800 (PST)
Message-ID: <55e8a96c0601171106h497a091du91ba3f5ea2465e33@mail.gmail.com>
Date: Tue, 17 Jan 2006 13:06:13 -0600
From: Bill Marquette <bill.marquette@gmail.com>
To: stephen <dinzdale@gmail.com>
In-Reply-To: <ee918c780601170314q7693c555x1cf01201b0d9f157@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <18525.196.2.148.70.1137476403.squirrel@webmail.wbs.co.za>
	<55e8a96c0601162221w24026424j6c2eeec684db8bb1@mail.gmail.com>
	<ee918c780601170314q7693c555x1cf01201b0d9f157@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: PF + PPPoE
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2006 19:06:21 -0000

On 1/17/06, stephen <dinzdale@gmail.com> wrote:
> what rudi means to say is, in his rc.conf he has stuck instructions
> for his ppp to start on boot, and for pf to load on boot. problem is
> freebsd creates tun0 when ppp runs for the first time, not when the
> machine boots up, and as his pf.conf refers to tun0, pf won't start if
> it runs before ppp has started as there is no tun0 device and pf bombs
> out saying 'no such device'.   (i know cause i had similar issue ;-)
>
> what i did was make a start script in /usr/local/etc/rc.d/ that runs
> ppp, sleeps for 30 seconds (should be more than enough - i use
> telkom's adsl which takes about 10 seconds, and i think my mate's
> iburst connects in less than 30 seconds) and -then- runs pf -f
> /etc/pf.conf
>
> that should do the trick

And yet pf doesn't care about interfaces that don't exist if your
syntax is correct.

# cat f
nat on tun0 from lo0:network to any -> (tun0)
pass in on tun0 from any to (tun0)
# pfctl -f f
# pfctl -sr
pass in on tun0 from any to (tun0)
# ifconfig tun0
ifconfig: interface tun0 does not exist

There's numerous syntax errors in his config - mainly all around not
surrounding interfaces with parens.  The following parses and loads
just fine on my box (which has neither tun0 or fxp0).  Note that I had
to comment out the set loginterface which can't possibly work if tun0
doesn't exist.

--Bill

#define Macros
ext_if =3D "tun0"
int_if =3D "fxp0"
tcp_services =3D "22"
priv_net =3D "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }"
secure_mail =3D"196.1.1.1"
tech_net =3D"196.1.1.1/24"
admin_mweb =3D"196.1.1.1"
allow_web =3D"{ 196.1.1.1, 196.2.2.2, 196.2.2.2, 196.3.3.3, (tun0) }"

#options
set block-policy return
#set loginterface $ext_if

#Scrubs
scrub in all

#Nat
nat on $ext_if from ($int_if:network) to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 61=
61

#Rules
pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port
6161 keep state
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block log quick inet6 all

#default to deny
block in log all
block out log all

# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if proto tcp from any to any flags A/A
block in log quick on $ext_if proto tcp from any to any flags F/SFRA
block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick on $ext_if proto tcp all flags FUP/FUP

#allow loopback
pass quick on lo0 all

#block private networks from inside out
block drop in log quick on $ext_if from $priv_net to any
block drop out log quick on $ext_if from any to $priv_net

#allow interal network out
pass in log on $int_if from ($int_if:network) to any keep state

#VPN out from internal network
pass in log on $int_if proto gre keep state
pass in log on $int_if proto tcp from any to any port 1723 keep state
pass out log on $ext_if proto gre keep state
pass out log on $ext_if proto tcp from any to any port 1723 keep state

#allow admin.mweb.net inside
pass in log  on $ext_if proto tcp from $admin_mweb to ($ext_if) port
22 keep state
pass in log  on $ext_if proto tcp from $tech_net to ($ext_if) port 22 keep =
state

#allow mweb staff web inside
pass in log on $ext_if proto tcp from $allow_web to ($ext_if) port 80 keep =
state

pass out log on $ext_if from ($int_if:network) to any keep state

#allow from fw to out
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state