Date: Tue, 13 Feb 2007 14:07:36 -0600 (CST) From: "Jeremy C. Reed" <reed@reedmedia.net> To: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <Pine.NEB.4.64.0702131407110.815@glacier.reedmedia.net> In-Reply-To: <45D1B27B.5615.291E28A7@dan.langille.org> References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net> <45D1B27B.5615.291E28A7@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > One possible sollution that has been suggested would be to use a simple
> > deny all but ssh/dns ruleset in the first stage and load the real ruleset
> > once all interfaces are there and the resolver is working. I'm willing
> > to commit patches, though this is probably something best discussed on
> > freebsd-rc@
By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot
that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or
/etc/defaults/pf.boot.conf which contains:
# Default deny.
block all
# Don't block loopback.
pass on lo0
# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state
# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not
responding).
pass out inet proto icmp all icmp-type echoreq keep state
# Allow IPv6 router/neighbor solicitation and advertisement.
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv
The regular /etc/rc.d/pf requires networking to be done first.
On OpenBSD, it loads rules like:
block all
pass on lo0
pass in proto tcp from any to any port 22 keep state
pass out proto { tcp, udp } from any to any port 53 keep state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv
pass proto { pfsync, carp }
scrub in all no-df
pass in proto udp from any port { 111, 2049 } to any
pass out proto udp from any to any port { 111, 2049 }
(Note it only loads some of these if the inet6 and if NFS is enabled.)
Jeremy C. Reed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.64.0702131407110.815>