From owner-freebsd-pf@FreeBSD.ORG Fri Jun 26 11:58:22 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC2361065742; Fri, 26 Jun 2009 11:58:22 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from tensor.andric.com (cl-327.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:146::2]) by mx1.freebsd.org (Postfix) with ESMTP id 697E78FC18; Fri, 26 Jun 2009 11:58:22 +0000 (UTC) (envelope-from dimitry@andric.com) Received: from [IPv6:2001:7b8:3a7:0:98bc:1464:29cc:daae] (unknown [IPv6:2001:7b8:3a7:0:98bc:1464:29cc:daae]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 95F105C42; Fri, 26 Jun 2009 13:58:21 +0200 (CEST) Message-ID: <4A44B7DE.2090503@andric.com> Date: Fri, 26 Jun 2009 13:58:22 +0200 From: Dimitry Andric User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1pre) Gecko/20090620 Shredder/3.0b3pre MIME-Version: 1.0 To: Max Laier References: <4A444BC2.4010606@FreeBSD.org> <200906261104.07597.max@love2party.net> In-Reply-To: <200906261104.07597.max@love2party.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-current@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync rc script breaks pfsync on cloned interfaces X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 11:58:24 -0000 On 2009-06-26 11:04, Max Laier wrote: > I would like input about how a very simple "save default" setup could look > like. A ruleset for pf or ipfw that allows most of the boot process to > complete without opening the host to the outside world, yet. For extra > points this ruleset is aware of the rc.conf variables and adjusts > accordingly (e.g. opening access to sshd iff it is configured). In > addition there might be *one or two* configuration variables for the early > stage to open additional ports or to select a default interface. However, > the fewer the better. If you look at how OpenBSD implements their /etc/rc script, you will see it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and (if applicable) IPv6 routing and neighbor advertisements. Then it does the regular network setup (/etc/netstart), followed by loading the full PF rules. Relevant excerpt: ###################### if [ X"${pf}" != X"NO" ]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port 22 keep state" RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state" RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" if ifconfig lo0 inet6 >/dev/null 2>&1; then RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv" RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv" fi RULES="$RULES\npass proto carp keep state (no-sync)" case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # don't kill NFS RULES="set reassemble yes no-df\n$RULES" RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any" RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }" ;; esac echo $RULES | pfctl -f - pfctl -e fi # Fill net.inet.(tcp|udp).baddynamic lists from /etc/services fill_baddynamic udp fill_baddynamic tcp sysctl_conf # set hostname, turn on network echo 'starting network' ifconfig -g carp carpdemote 128 if [ -f /etc/resolv.conf.save ]; then mv /etc/resolv.conf.save /etc/resolv.conf touch /etc/resolv.conf fi . /etc/netstart if [ X"${pf}" != X"NO" ]; then if [ -f ${pf_rules} ]; then pfctl -f ${pf_rules} fi # bring up pfsync after the working ruleset has been loaded if [ -f /etc/hostname.pfsync0 ]; then . /etc/netstart pfsync0 fi fi ###################### Perhaps this approach can be molded into /etc/rc.d form? :)