From owner-freebsd-rc@FreeBSD.ORG Mon Feb 12 11:10:51 2007 Return-Path: X-Original-To: freebsd-rc@FreeBSD.org Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6458716A506 for ; Mon, 12 Feb 2007 11:10:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2ED13C4B7 for ; Mon, 12 Feb 2007 11:10:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1CBApeJ098813 for ; Mon, 12 Feb 2007 11:10:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1CBAmoB098806 for freebsd-rc@FreeBSD.org; Mon, 12 Feb 2007 11:10:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Feb 2007 11:10:48 GMT Message-Id: <200702121110.l1CBAmoB098806@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-rc@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 11:10:51 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/48881 rc [PATCH] The influence of /etc/start_ifname on /etc/rc. o conf/98758 rc [patch] Templatize 'jail_fstab' in /etc/rc.d/jail o conf/98846 rc [patch] Templatize 'jail_rootdir' in /etc/rc.d/jail o bin/104623 rc "rc.d/ppp restart" stops all instances of ppp o conf/105689 rc syslogd starts too late at boot o conf/107155 rc /etc/rc.d/ppp-user does not bring up pppoe at boot o conf/107278 rc [patch] possible DoS when using the jail_interface opt o conf/107316 rc [rc.d]: [base] [rpc.lockd] nfslocking restart does not o conf/107364 rc pf fails to start on bootup after system update from F o conf/108226 rc second copy of ppp started at boot time 10 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/45226 rc Fix for rc.network, ppp-user annoyance o conf/48870 rc [PATCH] rc.network: allow to cancel interface status d o conf/55916 rc [PATCH] ppp-user options o conf/58939 rc [patch] dumb little hack for /etc/rc.firewall{,6} o conf/73677 rc [patch] add support for powernow states to power_profi o conf/74817 rc [patch] network.subr: fixed automatic configuration of o conf/77663 rc Suggestion: add /etc/rc.d/addnetswap after addcritremo o conf/78906 rc [patch] Allow mixer_enable="NO" in rc.conf o conf/79196 rc [PATCH] configurable dummynet loading from /etc/rc.co o kern/81006 rc ipnat not working with tunnel interfaces on startup o conf/85363 rc syntax error in /etc/rc.d/devfs o conf/85819 rc [patch] script allowing multiuser mode in spite of fsc o conf/88913 rc [patch] wrapper support for rc.subr o conf/89061 rc [patch] IPv6 6to4 auto-configuration enhancement o conf/89870 rc [patch] feature request to make netif verbose rc.conf o conf/92523 rc [patch] allow rc scripts to kill process after a timeo o conf/93815 rc [patch] Adds in the ability to save ipfw rules to rc.d o conf/95162 rc [patch] Missing feature in rc.subr o conf/96343 rc [patch] rc.d order change to start inet6 before pf o conf/99444 rc [patch] Enhancement: rc.subr could easily support star o conf/99595 rc [PATCH] /etc/rc.d/dhclient doesn't interact well with o conf/99721 rc [patch] /etc/rc.initdiskless problem copy dotfile in s o conf/102700 rc [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d s o conf/102722 rc kerberos5 server startupscript should use --detach o conf/102913 rc /etc/rc.d/named killall in jailed OS o conf/103486 rc [rc.d] [patch] rc.d/jail: mount fstab after devfs o conf/103489 rc [rc.d] [patch] named_chroot_autoupdate doesn't work in o conf/103976 rc rc.d/named restart failure o conf/104408 rc command not set in rc.d/isdnd, can't stop isdnd with t o conf/104549 rc [patch] rc.d/nfsd needs special _find_processes functi o conf/105145 rc [PATCH] add redial function to rc.d/ppp o conf/105568 rc [patch] Add more flexibility to rc.conf, to choose "_e o conf/106009 rc [patch] Fix pppoed startup script to process multiply o conf/106873 rc [patch] rc.d/nfslocking does not properly restart o conf/106978 rc "daily run" incorrectly assumes auth.log is rolled mor o conf/107035 rc bridge interface given in rc.conf not taking an (stati o conf/108988 rc [patch] RELENG_6_2 rc.d/jail unaliases incorrectly, on 37 problems total. From owner-freebsd-rc@FreeBSD.ORG Tue Feb 13 04:48:34 2007 Return-Path: X-Original-To: freebsd-rc@FreeBSD.org Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1EBAD16A407 for ; Tue, 13 Feb 2007 04:48:34 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [217.13.206.148]) by mx1.freebsd.org (Postfix) with ESMTP id 3CA6F13C4B7 for ; Tue, 13 Feb 2007 04:48:33 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: (qmail 13887 invoked from network); 13 Feb 2007 04:21:51 -0000 Received: from unknown (HELO ?192.168.23.150?) (cryx@85.179.6.154) by mail.h3q.com with AES256-SHA encrypted SMTP; 13 Feb 2007 04:21:51 -0000 Message-ID: <45D13CDE.9070804@h3q.com> Date: Tue, 13 Feb 2007 05:21:50 +0100 From: Philipp Wuensche User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Mark Linimon References: <200612281339.kBSDdqPO081584@freefall.freebsd.org> In-Reply-To: <200612281339.kBSDdqPO081584@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@FreeBSD.org, freebsd-rc@FreeBSD.org Subject: Re: conf/107278: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 04:48:34 -0000 Mark Linimon wrote: > Old Synopsis: Possible DoS when using the jail_interface option in rc.conf introduced with 6.2 > New Synopsis: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 > > Responsible-Changed-From-To: freebsd-bugs->freebsd-rc > Responsible-Changed-By: linimon > Responsible-Changed-When: Thu Dec 28 13:39:33 UTC 2006 > Responsible-Changed-Why: > Over to maintainer(s). > > http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 Discussion got up again on freebsd-stable@ so I wanted to ask why the patch still isn't present in RELENG_6_2? greetings, philipp From owner-freebsd-rc@FreeBSD.ORG Tue Feb 13 18:10:16 2007 Return-Path: X-Original-To: freebsd-rc@hub.freebsd.org Delivered-To: freebsd-rc@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A541E16A402 for ; Tue, 13 Feb 2007 18:10:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5D66D13C4A6 for ; Tue, 13 Feb 2007 18:10:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1DIAGiw038149 for ; Tue, 13 Feb 2007 18:10:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1DIAGSp038148; Tue, 13 Feb 2007 18:10:16 GMT (envelope-from gnats) Date: Tue, 13 Feb 2007 18:10:16 GMT Message-Id: <200702131810.l1DIAGSp038148@freefall.freebsd.org> To: freebsd-rc@FreeBSD.org From: "Simon L. Nielsen" Cc: Subject: Re: conf/107278: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Simon L. Nielsen" List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 18:10:16 -0000 The following reply was made to PR conf/107278; it has been noted by GNATS. From: "Simon L. Nielsen" To: Philipp Wuensche Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: conf/107278: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 Date: Tue, 13 Feb 2007 19:04:33 +0100 On 2007.02.13 05:21:50 +0100, Philipp Wuensche wrote: > Mark Linimon wrote: > > Old Synopsis: Possible DoS when using the jail_interface option in rc.conf introduced with 6.2 > > New Synopsis: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 > > > > Responsible-Changed-From-To: freebsd-bugs->freebsd-rc > > Responsible-Changed-By: linimon > > Responsible-Changed-When: Thu Dec 28 13:39:33 UTC 2006 > > Responsible-Changed-Why: > > Over to maintainer(s). > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 > > Discussion got up again on freebsd-stable@ so I wanted to ask why the > patch still isn't present in RELENG_6_2? It didn't make it in before the release, so it requires a Errata Notice to get in now. There are also a few other issues which need Errata's so perhaps this can be included then. -- Simon L. Nielsen From owner-freebsd-rc@FreeBSD.ORG Tue Feb 13 21:40:38 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A20D616A401 for ; Tue, 13 Feb 2007 21:40:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 3B2F613C4A5 for ; Tue, 13 Feb 2007 21:40:38 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.18.67] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1HH5Ag1nNh-0000dZ; Tue, 13 Feb 2007 22:26:47 +0100 From: Max Laier Organization: FreeBSD To: freebsd-rc@freebsd.org Date: Tue, 13 Feb 2007 22:26:31 +0100 User-Agent: KMail/1.9.5 References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1759747.WEUhr5MdpF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702132226.40415.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX19ZFKVena0iHpKg8cSDWrJTxmyea7ZF/4J7oIxMQyoFJQIVUqOdqIzd2gVrVNj5oOw1uVP3X1WmffdSCIxHn8LeiHr22O62tX5xYcP1rFGnRg== Cc: "Jeremy C. Reed" , freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 21:40:38 -0000 --nextPart1759747.WEUhr5MdpF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Does anyone have time to get something like this going for FreeBSD as=20 well? On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote: > > > One possible sollution that has been suggested would be to use a > > > simple deny all but ssh/dns ruleset in the first stage and load the > > > real ruleset once all interfaces are there and the resolver is > > > working. I'm willing to commit patches, though this is probably > > > something best discussed on freebsd-rc@ > > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or > /etc/defaults/pf.boot.conf which contains: > > # Default deny. > block all > > # Don't block loopback. > pass on lo0 > > # Allow outgoing dns, needed by pfctl to resolve names. > pass out proto { tcp, udp } from any to any port 53 keep state > > # Allow outgoing ping request, might be needed by dhclient to validate > # old (but valid) leases in /var/db/dhclient.leases in case it needs to > # fall back to such a lease (the dhcp server can be down or not > responding). > pass out inet proto icmp all icmp-type echoreq keep state > > # Allow IPv6 router/neighbor solicitation and advertisement. > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > > > The regular /etc/rc.d/pf requires networking to be done first. > > On OpenBSD, it loads rules like: > > block all > pass on lo0 > pass in proto tcp from any to any port 22 keep state > pass out proto { tcp, udp } from any to any port 53 keep state > pass out inet proto icmp all icmp-type echoreq keep state > pass out inet6 proto icmp6 all icmp6-type neighbrsol > pass in inet6 proto icmp6 all icmp6-type neighbradv > pass out inet6 proto icmp6 all icmp6-type routersol > pass in inet6 proto icmp6 all icmp6-type routeradv > pass proto { pfsync, carp } > scrub in all no-df > pass in proto udp from any port { 111, 2049 } to any > pass out proto udp from any to any port { 111, 2049 } > > (Note it only loads some of these if the inet6 and if NFS is enabled.) =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1759747.WEUhr5MdpF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0i0QXyyEoT62BG0RAifxAJ49n3mzIuoZmd7XvqRS+dmngU9yHQCdEphQ IHnP7znB/oCQ3lW7B8fF3Hw= =ow0e -----END PGP SIGNATURE----- --nextPart1759747.WEUhr5MdpF-- From owner-freebsd-rc@FreeBSD.ORG Wed Feb 14 06:03:52 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 74A3E16A400 for ; Wed, 14 Feb 2007 06:03:52 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id F349C13C442 for ; Wed, 14 Feb 2007 06:03:51 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so573332nfc for ; Tue, 13 Feb 2007 22:03:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=HxGkO5k4OROYZY1hEmm4giLjvqPwE5WPVMZWQjc0To8flpD/gmu8OKmN4CYc5vgYxZwXpL8WAZ6jnhQikaCEKpwVU4IQUJxCvQHboX6wr/hG+6OUxCcL7SIkS7hSISe2NSClAwn7PthoI07wSZ+YsV0GwuCtTFiw0sqjCpq0v/o= Received: by 10.82.118.2 with SMTP id q2mr9861064buc.1171431433877; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Received: by 10.82.150.17 with HTTP; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Message-ID: Date: Tue, 13 Feb 2007 21:37:13 -0800 From: "Kian Mohageri" To: "Max Laier" In-Reply-To: <200702132226.40415.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_53114_15089019.1171431433759" References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <200702132226.40415.max@love2party.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 06:03:52 -0000 ------=_Part_53114_15089019.1171431433759 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline On 2/13/07, Max Laier wrote: > > Does anyone have time to get something like this going for FreeBSD as > well? I tested out some solutions. I'm not sure if this is what you guys were looking to do, but NetBSD's solution seems fine. I'm not thrilled about using another rc-script to solve this issue, but I couldn't think of a simpler/more elegant solution. Diff is against CURRENT, and I don't currently have any boxes running CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT later to test other patches. I couldn't decide what to pass in this initial ruleset. Passing SSH seems safe/smart, but surely not everyone will agree. Sorry if this is way off :) -- Kian Mohageri ------=_Part_53114_15089019.1171431433759 Content-Type: application/octet-stream; name=pf_early.diff Content-Transfer-Encoding: base64 X-Attachment-Id: f_ey5byb1p Content-Disposition: attachment; filename="pf_early.diff" ZGlmZiAtcnVOIGV0Yy9kZWZhdWx0cy9NYWtlZmlsZSBldGMubmV3L2RlZmF1bHRzL01ha2VmaWxl Ci0tLSBldGMvZGVmYXVsdHMvTWFrZWZpbGUJRnJpIERlYyAgOSAwNzoxOTozMSAyMDA1CisrKyBl dGMubmV3L2RlZmF1bHRzL01ha2VmaWxlCVR1ZSBGZWIgMTMgMjA6MDg6MjUgMjAwNwpAQCAtMSw2 ICsxLDYgQEAKICMgJEZyZWVCU0Q6IHNyYy9ldGMvZGVmYXVsdHMvTWFrZWZpbGUsdiAxLjcgMjAw NS8xMi8wOSAxNToxOTozMSBydSBFeHAgJAogCi1GSUxFUz0JYmx1ZXRvb3RoLmRldmljZS5jb25m IGRldmZzLnJ1bGVzIHBjY2FyZC5jb25mIHBlcmlvZGljLmNvbmYgcmMuY29uZgorRklMRVM9CWJs dWV0b290aC5kZXZpY2UuY29uZiBkZXZmcy5ydWxlcyBwY2NhcmQuY29uZiBwZXJpb2RpYy5jb25m IHBmLmVhcmx5LmNvbmYgcmMuY29uZgogTk9fT0JKPQogRklMRVNESVI9IC9ldGMvZGVmYXVsdHMK IApkaWZmIC1ydU4gZXRjL2RlZmF1bHRzL3BmLmVhcmx5LmNvbmYgZXRjLm5ldy9kZWZhdWx0cy9w Zi5lYXJseS5jb25mCi0tLSBldGMvZGVmYXVsdHMvcGYuZWFybHkuY29uZglXZWQgRGVjIDMxIDE2 OjAwOjAwIDE5NjkKKysrIGV0Yy5uZXcvZGVmYXVsdHMvcGYuZWFybHkuY29uZglUdWUgRmViIDEz IDIwOjA4OjAxIDIwMDcKQEAgLTAsMCArMSwyMiBAQAorIyAkRnJlZUJTRDogc3JjL2V0Yy9kZWZh dWx0cy9wZi5lYXJseS5jb25mJAorCisjIERlZmF1bHQgZGVueQorYmxvY2sgYWxsCisKKyMgRG9u J3QgZmlsdGVyIGxvb3BiYWNrIGludGVyZmFjZShzKSAKK3NldCBza2lwIG9uIGxvCisKKyMgQWxs b3cgaW5jb21pbmcgU1NICitwYXNzIGluIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCBz c2gga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIEROUywgbmVlZGVkIGJ5IHBmY3RsIHRv IHJlc29sdmUgYW55IEZRRE5zCitwYXNzIG91dCBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSBhbnkg dG8gYW55IHBvcnQgNTMga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIHBpbmcKK3Bhc3Mg b3V0IGluZXQgcHJvdG8gaWNtcCBhbGwgaWNtcC10eXBlIGVjaG9yZXEga2VlcCBzdGF0ZQorCisj IEFsbG93IElQdjYgcm91dGVyL25laWdoYm9yIHNvbGljaXRhdGlvbiBhbmQgYWR2ZXJ0aXNlbWVu dAorcGFzcyBvdXQgaW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgbmVpZ2hicnNvbAor cGFzcyBpbiBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSBuZWlnaGJyYWR2CitwYXNz IG91dCBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSByb3V0ZXJzb2wKK3Bhc3MgaW4g aW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgcm91dGVyYWR2CmRpZmYgLXJ1TiBldGMv ZGVmYXVsdHMvcmMuY29uZiBldGMubmV3L2RlZmF1bHRzL3JjLmNvbmYKLS0tIGV0Yy9kZWZhdWx0 cy9yYy5jb25mCUZyaSBGZWIgIDkgMDQ6MTE6MjcgMjAwNworKysgZXRjLm5ldy9kZWZhdWx0cy9y Yy5jb25mCVR1ZSBGZWIgMTMgMjA6MzY6MjkgMjAwNwpAQCAtMTQ1LDYgKzE0NSwxMCBAQAogcGZf cnVsZXM9Ii9ldGMvcGYuY29uZiIJCSMgcnVsZXMgZGVmaW5pdGlvbiBmaWxlIGZvciBwZgogcGZf cHJvZ3JhbT0iL3NiaW4vcGZjdGwiCSMgd2hlcmUgdGhlIHBmY3RsIHByb2dyYW0gbGl2ZXMKIHBm X2ZsYWdzPSIiCQkJIyBhZGRpdGlvbmFsIGZsYWdzIGZvciBwZmN0bAorcGZfZWFybHlfZW5hYmxl PSJZRVMiCQkjIExvYWQgbWluaW1hbCBydWxlc2V0IHdoZW4gcGZfZW5hYmxlPSJZRVMiCisJCQkJ IyBiZWZvcmUgcm91dGluZyBpcyBlbmFibGVkLCBhZnRlciB3aGljaCB0aGUgCisJCQkJIyByZWFs IHJ1bGVzZXQgd2lsbCBiZSBsb2FkZWQKK3BmX2Vhcmx5X3J1bGVzPSIvZXRjL2RlZmF1bHRzL3Bm LmVhcmx5LmNvbmYiCSMgRGVmYXVsdCBtaW5pbWFsIHJ1bGVzZXQKIHBmbG9nX2VuYWJsZT0iTk8i CQkjIFNldCB0byBZRVMgdG8gZW5hYmxlIHBhY2tldCBmaWx0ZXIgbG9nZ2luZwogcGZsb2dfbG9n ZmlsZT0iL3Zhci9sb2cvcGZsb2ciCSMgd2hlcmUgcGZsb2dkIHNob3VsZCBzdG9yZSB0aGUgbG9n ZmlsZQogcGZsb2dfcHJvZ3JhbT0iL3NiaW4vcGZsb2dkIgkjIHdoZXJlIHRoZSBwZmxvZ2QgcHJv Z3JhbSBsaXZlcwpkaWZmIC1ydU4gZXRjL3JjLmQvTWFrZWZpbGUgZXRjLm5ldy9yYy5kL01ha2Vm aWxlCi0tLSBldGMvcmMuZC9NYWtlZmlsZQlTdW4gT2N0IDE1IDA3OjE5OjA2IDIwMDYKKysrIGV0 Yy5uZXcvcmMuZC9NYWtlZmlsZQlUdWUgRmViIDEzIDIwOjQyOjA5IDIwMDcKQEAgLTI3LDcgKzI3 LDcgQEAKIAluZXR3b3JrX2lwdjYgbmV3c3lzbG9nIG5mc2NsaWVudCBuZnNkIFwKIAluZnNsb2Nr aW5nIG5mc3NlcnZlciBuaXNkb21haW4gbnNzd2l0Y2ggbnRwZCBudHBkYXRlIFwKIAlvdGhlcm10 YSBcCi0JcGYgcGZsb2cgcGZzeW5jIFwKKwlwZiBwZl9lYXJseSBwZmxvZyBwZnN5bmMgXAogCXBv d2VyZCBwb3dlcl9wcm9maWxlIHBwcCBwcHBvZWQgcHdjaGVjayBcCiAJcXVvdGEgXAogCXJhbmRv bSByYXJwZCByZXNvbHYgcm9vdCBcCmRpZmYgLXJ1TiBldGMvcmMuZC9wZiBldGMubmV3L3JjLmQv cGYKLS0tIGV0Yy9yYy5kL3BmCVN1biBEZWMgMzEgMDI6Mzc6MTggMjAwNgorKysgZXRjLm5ldy9y Yy5kL3BmCVR1ZSBGZWIgMTMgMjA6MDk6MzMgMjAwNwpAQCAtNCw4ICs0LDcgQEAKICMKIAogIyBQ Uk9WSURFOiBwZgotIyBSRVFVSVJFOiByb290IG1vdW50Y3JpdGxvY2FsIG5ldGlmIHBmbG9nIHBm c3luYwotIyBCRUZPUkU6ICByb3V0aW5nCisjIFJFUVVJUkU6IHJvb3QgbW91bnRjcml0bG9jYWwg bmV0aWYgcGZsb2cgcGZzeW5jIHBmX2Vhcmx5CiAjIEtFWVdPUkQ6IG5vamFpbAogCiAuIC9ldGMv cmMuc3VicgpkaWZmIC1ydU4gZXRjL3JjLmQvcGZfZWFybHkgZXRjLm5ldy9yYy5kL3BmX2Vhcmx5 Ci0tLSBldGMvcmMuZC9wZl9lYXJseQlXZWQgRGVjIDMxIDE2OjAwOjAwIDE5NjkKKysrIGV0Yy5u ZXcvcmMuZC9wZl9lYXJseQlUdWUgRmViIDEzIDIwOjM1OjE4IDIwMDcKQEAgLTAsMCArMSwzNCBA QAorIyEvYmluL3NoCisjCisjICRGcmVlQlNEOiBzcmMvZXRjL3JjLmQvcGZfZWFybHksdiAxLjcu Mi40IDIwMDYvMDEvMjIgMTM6NDU6MjggeWFyIEV4cCAkCisjCisKKyMgUFJPVklERTogcGZfZWFy bHkKKyMgUkVRVUlSRTogcm9vdCBtb3VudGNyaXRsb2NhbCBuZXRpZiBwZmxvZyBwZnN5bmMKKyMg QkVGT1JFOiAgcm91dGluZworIyBLRVlXT1JEOiBub2phaWwKKworLiAvZXRjL3JjLnN1YnIKKwor bmFtZT0icGZfZWFybHkiCityY3Zhcj1gc2V0X3JjdmFyYAorbG9hZF9yY19jb25maWcgJG5hbWUK K3N0YXJ0X2NtZD0icGZfZWFybHlfc3RhcnQiCitzdG9wX2NtZD0iOiIKK3JlcXVpcmVkX2ZpbGVz PSIkcGZfZWFybHlfcnVsZXMiCityZXF1aXJlZF9tb2R1bGVzPSJwZiIKKworcGZfZWFybHlfc3Rh cnQoKQoreworCWVjaG8gIkVuYWJsaW5nIG1pbmltYWwgcGYgcnVsZXNldC4iCisJJHBmX3Byb2dy YW0gLUZhbGwgPiAvZGV2L251bGwgMj4mMQorCSRwZl9wcm9ncmFtIC1mICIkcGZfZWFybHlfcnVs ZXMiCisJaWYgISAkcGZfcHJvZ3JhbSAtcyBpbmZvIHwgZ3JlcCAtcSAiRW5hYmxlZCIgOyB0aGVu CisJCSRwZl9wcm9ncmFtIC1lCisJZmkKK30KKworIyBEb24ndCBkbyBhbnl0aGluZyB1bmxlc3Mg cGZfZW5hYmxlPSJZRVMiCitpZiBjaGVja3llc25vIHBmX2VuYWJsZTsgdGhlbgorCXJ1bl9yY19j b21tYW5kICIkMSIKK2ZpCg== ------=_Part_53114_15089019.1171431433759-- From owner-freebsd-rc@FreeBSD.ORG Wed Feb 14 13:06:19 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 49AE416A401 for ; Wed, 14 Feb 2007 13:06:19 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id 3095B13C471 for ; Wed, 14 Feb 2007 13:06:19 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 54BFE17026; Wed, 14 Feb 2007 04:47:55 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAOQfIS2VgYI; Wed, 14 Feb 2007 04:47:51 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id 57FCF17020; Wed, 14 Feb 2007 04:47:51 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 07D78B8CE; Wed, 14 Feb 2007 07:47:51 -0500 (EST) From: "Dan Langille" To: "Kian Mohageri" Date: Wed, 14 Feb 2007 07:47:50 -0500 MIME-Version: 1.0 Message-ID: <45D2BEA7.12150.2D35AEAB@dan.langille.org> Priority: normal In-reply-to: References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702132226.40415.max@love2party.net>, X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 13:06:19 -0000 On 13 Feb 2007 at 21:37, Kian Mohageri wrote: > On 2/13/07, Max Laier wrote: > > > > Does anyone have time to get something like this going for FreeBSD as > > well? > > > > I tested out some solutions. I'm not sure if this is what you guys were > looking to do, but NetBSD's solution seems fine. I'm not thrilled about > using another rc-script to solve this issue, but I couldn't think of a > simpler/more elegant solution. > > Diff is against CURRENT, and I don't currently have any boxes running > CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT > later to test other patches. > > I couldn't decide what to pass in this initial ruleset. Passing SSH seems > safe/smart, but surely not everyone will agree. So long as the initial ruleset can be specified in the config, I see no problem. For example: pf_rules_initial="/etc/pf_intial.rules -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From owner-freebsd-rc@FreeBSD.ORG Wed Feb 14 18:37:31 2007 Return-Path: X-Original-To: freebsd-rc@hub.freebsd.org Delivered-To: freebsd-rc@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1973D16A401; Wed, 14 Feb 2007 18:37:31 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id E468313C474; Wed, 14 Feb 2007 18:37:30 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1EIbUkC042086; Wed, 14 Feb 2007 18:37:30 GMT (envelope-from simon@freefall.freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1EIbUKj042082; Wed, 14 Feb 2007 18:37:30 GMT (envelope-from simon) Date: Wed, 14 Feb 2007 18:37:30 GMT From: "Simon L. Nielsen" Message-Id: <200702141837.l1EIbUKj042082@freefall.freebsd.org> To: kevin@insidesystems.net, simon@FreeBSD.org, freebsd-rc@FreeBSD.org, simon@FreeBSD.org Cc: Subject: Re: conf/108988: [patch] RELENG_6_2 rc.d/jail unaliases incorrectly, on failed startup X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 18:37:31 -0000 Synopsis: [patch] RELENG_6_2 rc.d/jail unaliases incorrectly, on failed startup State-Changed-From-To: open->closed State-Changed-By: simon State-Changed-When: Wed Feb 14 18:36:47 UTC 2007 State-Changed-Why: Duplicate of conf/107278. Responsible-Changed-From-To: freebsd-rc->simon Responsible-Changed-By: simon Responsible-Changed-When: Wed Feb 14 18:36:47 UTC 2007 Responsible-Changed-Why: I will handle any followups. http://www.freebsd.org/cgi/query-pr.cgi?pr=108988 From owner-freebsd-rc@FreeBSD.ORG Wed Feb 14 18:38:39 2007 Return-Path: X-Original-To: freebsd-rc@hub.freebsd.org Delivered-To: freebsd-rc@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2144816A406; Wed, 14 Feb 2007 18:38:39 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id ED03913C4A6; Wed, 14 Feb 2007 18:38:38 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1EIcccW042142; Wed, 14 Feb 2007 18:38:38 GMT (envelope-from simon@freefall.freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1EIccWk042138; Wed, 14 Feb 2007 18:38:38 GMT (envelope-from simon) Date: Wed, 14 Feb 2007 18:38:38 GMT From: "Simon L. Nielsen" Message-Id: <200702141838.l1EIccWk042138@freefall.freebsd.org> To: cryx-freebsd@h3q.com, simon@FreeBSD.org, freebsd-rc@FreeBSD.org, simon@FreeBSD.org Cc: Subject: Re: conf/107278: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 18:38:39 -0000 Synopsis: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2 State-Changed-From-To: open->patched State-Changed-By: simon State-Changed-When: Wed Feb 14 18:37:47 UTC 2007 State-Changed-Why: Fixed in HEAD and RELENG_6. Need merge to RELENG_6_2. Responsible-Changed-From-To: freebsd-rc->simon Responsible-Changed-By: simon Responsible-Changed-When: Wed Feb 14 18:37:47 UTC 2007 Responsible-Changed-Why: I will handle getting this fixed in RELENG_6_2. http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 From owner-freebsd-rc@FreeBSD.ORG Thu Feb 15 08:18:07 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7EAED16A408 for ; Thu, 15 Feb 2007 08:18:07 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 1563313C474 for ; Thu, 15 Feb 2007 08:18:06 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1036327nfc for ; Thu, 15 Feb 2007 00:18:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=h8r3YAWgwT3hatOuav8RGsXEMinuaidPaXHtRlkapI4TZzoud1nRq1amvPQpmTKTvRh/MKkGdFF0mWopJz0a07rXODPwBEa6XOvPNSYCgUqNq3qFVzTkPDJOCwgleJEHdHsUXpDaelZ+DmGNQLocbEpWzgWY11wLc1/Ra2zcocc= Received: by 10.82.111.8 with SMTP id j8mr2259730buc.1171527485593; Thu, 15 Feb 2007 00:18:05 -0800 (PST) Received: by 10.82.150.17 with HTTP; Thu, 15 Feb 2007 00:18:05 -0800 (PST) Message-ID: Date: Thu, 15 Feb 2007 00:18:05 -0800 From: "Kian Mohageri" To: "Dan Langille" In-Reply-To: <45D2BEA7.12150.2D35AEAB@dan.langille.org> MIME-Version: 1.0 References: <45CDED58.2056.1A642A00@dan.langille.org> <200702132226.40415.max@love2party.net> <45D2BEA7.12150.2D35AEAB@dan.langille.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2007 08:18:07 -0000 On 2/14/07, Dan Langille wrote: > > > So long as the initial ruleset can be specified in the config, I see > no problem. For example: pf_rules_initial="/etc/pf_intial.rules As with other startup scripts, the overrides for /etc/defaults/rc.conf can be placed in /etc/rc.conf. -- Kian Mohageri From owner-freebsd-rc@FreeBSD.ORG Fri Feb 16 19:27:24 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7FF8516A400; Fri, 16 Feb 2007 19:27:24 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.freebsd.org (Postfix) with ESMTP id C76AA13C441; Fri, 16 Feb 2007 19:27:23 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.4) with ESMTP id l1GJB5TR068280; Fri, 16 Feb 2007 22:11:05 +0300 (MSK) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.4/Submit) id l1GJB4Wh068278; Fri, 16 Feb 2007 22:11:04 +0300 (MSK) (envelope-from yar) Date: Fri, 16 Feb 2007 22:11:03 +0300 From: Yar Tikhiy To: Max Laier Message-ID: <20070216191103.GB64983@comp.chem.msu.su> References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <200702132226.40415.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200702132226.40415.max@love2party.net> User-Agent: Mutt/1.5.9i Cc: "Jeremy C. Reed" , freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Feb 2007 19:27:24 -0000 On Tue, Feb 13, 2007 at 10:26:31PM +0100, Max Laier wrote: > Does anyone have time to get something like this going for FreeBSD as > well? IMHO it's a restricted solution to a more general problem. Other firewall types can suffer from it, too. While there is no single cure for using DNS names in firewall rules, the problem of cloned interfaces is common. Once I thought of a sysctl with the following semantics: 0 (default) means just drop any network traffic, 1 means process it as usual. Then a host could set up all its interfaces first, still being immune to attacks, then load firewall rules, and finally enable the network stack. Am I delirious? :-) > On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote: > > > > One possible sollution that has been suggested would be to use a > > > > simple deny all but ssh/dns ruleset in the first stage and load the > > > > real ruleset once all interfaces are there and the resolver is > > > > working. I'm willing to commit patches, though this is probably > > > > something best discussed on freebsd-rc@ > > > > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot > > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or > > /etc/defaults/pf.boot.conf which contains: > > > > # Default deny. > > block all > > > > # Don't block loopback. > > pass on lo0 > > > > # Allow outgoing dns, needed by pfctl to resolve names. > > pass out proto { tcp, udp } from any to any port 53 keep state > > > > # Allow outgoing ping request, might be needed by dhclient to validate > > # old (but valid) leases in /var/db/dhclient.leases in case it needs to > > # fall back to such a lease (the dhcp server can be down or not > > responding). > > pass out inet proto icmp all icmp-type echoreq keep state > > > > # Allow IPv6 router/neighbor solicitation and advertisement. > > pass out inet6 proto icmp6 all icmp6-type neighbrsol > > pass in inet6 proto icmp6 all icmp6-type neighbradv > > pass out inet6 proto icmp6 all icmp6-type routersol > > pass in inet6 proto icmp6 all icmp6-type routeradv > > > > > > The regular /etc/rc.d/pf requires networking to be done first. > > > > On OpenBSD, it loads rules like: > > > > block all > > pass on lo0 > > pass in proto tcp from any to any port 22 keep state > > pass out proto { tcp, udp } from any to any port 53 keep state > > pass out inet proto icmp all icmp-type echoreq keep state > > pass out inet6 proto icmp6 all icmp6-type neighbrsol > > pass in inet6 proto icmp6 all icmp6-type neighbradv > > pass out inet6 proto icmp6 all icmp6-type routersol > > pass in inet6 proto icmp6 all icmp6-type routeradv > > pass proto { pfsync, carp } > > scrub in all no-df > > pass in proto udp from any port { 111, 2049 } to any > > pass out proto udp from any to any port { 111, 2049 } > > > > (Note it only loads some of these if the inet6 and if NFS is enabled.) > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News -- Yar