From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 21:26:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA49216A401 for ; Tue, 13 Feb 2007 21:26:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id 7CBDE13C478 for ; Tue, 13 Feb 2007 21:26:49 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.18.67] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HH5Ag1nNh-0000dZ; Tue, 13 Feb 2007 22:26:47 +0100 From: Max Laier Organization: FreeBSD To: freebsd-rc@freebsd.org Date: Tue, 13 Feb 2007 22:26:31 +0100 User-Agent: KMail/1.9.5 References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1759747.WEUhr5MdpF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702132226.40415.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19ZFKVena0iHpKg8cSDWrJTxmyea7ZF/4J7oIxMQyoFJQIVUqOdqIzd2gVrVNj5oOw1uVP3X1WmffdSCIxHn8LeiHr22O62tX5xYcP1rFGnRg== Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 21:26:50 -0000 --nextPart1759747.WEUhr5MdpF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Does anyone have time to get something like this going for FreeBSD as=20 well? On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote: > > > One possible sollution that has been suggested would be to use a > > > simple deny all but ssh/dns ruleset in the first stage and load the > > > real ruleset once all interfaces are there and the resolver is > > > working. I'm willing to commit patches, though this is probably > > > something best discussed on freebsd-rc@ > > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or > /etc/defaults/pf.boot.conf which contains: > > # Default deny. > block all > > # Don't block loopback. > pass on lo0 > > # Allow outgoing dns, needed by pfctl to resolve names. > pass out proto { tcp, udp } from any to any port 53 keep state > > # Allow outgoing ping request, might be needed by dhclient to validate > # old (but valid) leases in /var/db/dhclient.leases in case it needs to > # fall back to such a lease (the dhcp server can be down or not > responding). > pass out inet proto icmp all icmp-type echoreq keep state > > # Allow IPv6 router/neighbor solicitation and advertisement. > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > > > The regular /etc/rc.d/pf requires networking to be done first. > > On OpenBSD, it loads rules like: > > block all > pass on lo0 > pass in proto tcp from any to any port 22 keep state > pass out proto { tcp, udp } from any to any port 53 keep state > pass out inet proto icmp all icmp-type echoreq keep state > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > pass proto { pfsync, carp } > scrub in all no-df > pass in proto udp from any port { 111, 2049 } to any > pass out proto udp from any to any port { 111, 2049 } > > (Note it only loads some of these if the inet6 and if NFS is enabled.) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1759747.WEUhr5MdpF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0i0QXyyEoT62BG0RAifxAJ49n3mzIuoZmd7XvqRS+dmngU9yHQCdEphQ IHnP7znB/oCQ3lW7B8fF3Hw= =ow0e -----END PGP SIGNATURE----- --nextPart1759747.WEUhr5MdpF--