Date: Tue, 13 Feb 2007 22:26:31 +0100 From: Max Laier <max@love2party.net> To: freebsd-rc@freebsd.org Cc: "Jeremy C. Reed" <reed@reedmedia.net>, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <200702132226.40415.max@love2party.net> In-Reply-To: <Pine.NEB.4.64.0702131407110.815@glacier.reedmedia.net> References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <Pine.NEB.4.64.0702131407110.815@glacier.reedmedia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1759747.WEUhr5MdpF
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Does anyone have time to get something like this going for FreeBSD as=20
well?
On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote:
> > > One possible sollution that has been suggested would be to use a
> > > simple deny all but ssh/dns ruleset in the first stage and load the
> > > real ruleset once all interfaces are there and the resolver is
> > > working. I'm willing to commit patches, though this is probably
> > > something best discussed on freebsd-rc@
>
> By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot
> that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or
> /etc/defaults/pf.boot.conf which contains:
>
> # Default deny.
> block all
>
> # Don't block loopback.
> pass on lo0
>
> # Allow outgoing dns, needed by pfctl to resolve names.
> pass out proto { tcp, udp } from any to any port 53 keep state
>
> # Allow outgoing ping request, might be needed by dhclient to validate
> # old (but valid) leases in /var/db/dhclient.leases in case it needs to
> # fall back to such a lease (the dhcp server can be down or not
> responding).
> pass out inet proto icmp all icmp-type echoreq keep state
>
> # Allow IPv6 router/neighbor solicitation and advertisement.
> pass out inet6 proto icmp6 all icmp6-type neighbrsol
> pass in inet6 proto icmp6 all icmp6-type neighbradv
> pass out inet6 proto icmp6 all icmp6-type routersol
> pass in inet6 proto icmp6 all icmp6-type routeradv
>
>
> The regular /etc/rc.d/pf requires networking to be done first.
>
> On OpenBSD, it loads rules like:
>
> block all
> pass on lo0
> pass in proto tcp from any to any port 22 keep state
> pass out proto { tcp, udp } from any to any port 53 keep state
> pass out inet proto icmp all icmp-type echoreq keep state
> pass out inet6 proto icmp6 all icmp6-type neighbrsol
> pass in inet6 proto icmp6 all icmp6-type neighbradv
> pass out inet6 proto icmp6 all icmp6-type routersol
> pass in inet6 proto icmp6 all icmp6-type routeradv
> pass proto { pfsync, carp }
> scrub in all no-df
> pass in proto udp from any port { 111, 2049 } to any
> pass out proto udp from any to any port { 111, 2049 }
>
> (Note it only loads some of these if the inet6 and if NFS is enabled.)
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1759747.WEUhr5MdpF
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQBF0i0QXyyEoT62BG0RAifxAJ49n3mzIuoZmd7XvqRS+dmngU9yHQCdEphQ
IHnP7znB/oCQ3lW7B8fF3Hw=
=ow0e
-----END PGP SIGNATURE-----
--nextPart1759747.WEUhr5MdpF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702132226.40415.max>