From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 05:37:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 83E5C16A407 for ; Wed, 14 Feb 2007 05:37:15 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0E15913C442 for ; Wed, 14 Feb 2007 05:37:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so566803nfc for ; Tue, 13 Feb 2007 21:37:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=HxGkO5k4OROYZY1hEmm4giLjvqPwE5WPVMZWQjc0To8flpD/gmu8OKmN4CYc5vgYxZwXpL8WAZ6jnhQikaCEKpwVU4IQUJxCvQHboX6wr/hG+6OUxCcL7SIkS7hSISe2NSClAwn7PthoI07wSZ+YsV0GwuCtTFiw0sqjCpq0v/o= Received: by 10.82.118.2 with SMTP id q2mr9861064buc.1171431433877; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Received: by 10.82.150.17 with HTTP; Tue, 13 Feb 2007 21:37:13 -0800 (PST) Message-ID: Date: Tue, 13 Feb 2007 21:37:13 -0800 From: "Kian Mohageri" To: "Max Laier" In-Reply-To: <200702132226.40415.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_53114_15089019.1171431433759" References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <200702132226.40415.max@love2party.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 05:37:15 -0000 ------=_Part_53114_15089019.1171431433759 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline On 2/13/07, Max Laier wrote: > > Does anyone have time to get something like this going for FreeBSD as > well? I tested out some solutions. I'm not sure if this is what you guys were looking to do, but NetBSD's solution seems fine. I'm not thrilled about using another rc-script to solve this issue, but I couldn't think of a simpler/more elegant solution. Diff is against CURRENT, and I don't currently have any boxes running CURRENT, but I tested it as much as I could. I'll get a box up to CURRENT later to test other patches. I couldn't decide what to pass in this initial ruleset. Passing SSH seems safe/smart, but surely not everyone will agree. Sorry if this is way off :) -- Kian Mohageri ------=_Part_53114_15089019.1171431433759 Content-Type: application/octet-stream; name=pf_early.diff Content-Transfer-Encoding: base64 X-Attachment-Id: f_ey5byb1p Content-Disposition: attachment; filename="pf_early.diff" ZGlmZiAtcnVOIGV0Yy9kZWZhdWx0cy9NYWtlZmlsZSBldGMubmV3L2RlZmF1bHRzL01ha2VmaWxl Ci0tLSBldGMvZGVmYXVsdHMvTWFrZWZpbGUJRnJpIERlYyAgOSAwNzoxOTozMSAyMDA1CisrKyBl dGMubmV3L2RlZmF1bHRzL01ha2VmaWxlCVR1ZSBGZWIgMTMgMjA6MDg6MjUgMjAwNwpAQCAtMSw2 ICsxLDYgQEAKICMgJEZyZWVCU0Q6IHNyYy9ldGMvZGVmYXVsdHMvTWFrZWZpbGUsdiAxLjcgMjAw NS8xMi8wOSAxNToxOTozMSBydSBFeHAgJAogCi1GSUxFUz0JYmx1ZXRvb3RoLmRldmljZS5jb25m IGRldmZzLnJ1bGVzIHBjY2FyZC5jb25mIHBlcmlvZGljLmNvbmYgcmMuY29uZgorRklMRVM9CWJs dWV0b290aC5kZXZpY2UuY29uZiBkZXZmcy5ydWxlcyBwY2NhcmQuY29uZiBwZXJpb2RpYy5jb25m IHBmLmVhcmx5LmNvbmYgcmMuY29uZgogTk9fT0JKPQogRklMRVNESVI9IC9ldGMvZGVmYXVsdHMK IApkaWZmIC1ydU4gZXRjL2RlZmF1bHRzL3BmLmVhcmx5LmNvbmYgZXRjLm5ldy9kZWZhdWx0cy9w Zi5lYXJseS5jb25mCi0tLSBldGMvZGVmYXVsdHMvcGYuZWFybHkuY29uZglXZWQgRGVjIDMxIDE2 OjAwOjAwIDE5NjkKKysrIGV0Yy5uZXcvZGVmYXVsdHMvcGYuZWFybHkuY29uZglUdWUgRmViIDEz IDIwOjA4OjAxIDIwMDcKQEAgLTAsMCArMSwyMiBAQAorIyAkRnJlZUJTRDogc3JjL2V0Yy9kZWZh dWx0cy9wZi5lYXJseS5jb25mJAorCisjIERlZmF1bHQgZGVueQorYmxvY2sgYWxsCisKKyMgRG9u J3QgZmlsdGVyIGxvb3BiYWNrIGludGVyZmFjZShzKSAKK3NldCBza2lwIG9uIGxvCisKKyMgQWxs b3cgaW5jb21pbmcgU1NICitwYXNzIGluIHByb3RvIHRjcCBmcm9tIGFueSB0byBhbnkgcG9ydCBz c2gga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIEROUywgbmVlZGVkIGJ5IHBmY3RsIHRv IHJlc29sdmUgYW55IEZRRE5zCitwYXNzIG91dCBwcm90byB7IHRjcCwgdWRwIH0gZnJvbSBhbnkg dG8gYW55IHBvcnQgNTMga2VlcCBzdGF0ZQorCisjIEFsbG93IG91dGdvaW5nIHBpbmcKK3Bhc3Mg b3V0IGluZXQgcHJvdG8gaWNtcCBhbGwgaWNtcC10eXBlIGVjaG9yZXEga2VlcCBzdGF0ZQorCisj IEFsbG93IElQdjYgcm91dGVyL25laWdoYm9yIHNvbGljaXRhdGlvbiBhbmQgYWR2ZXJ0aXNlbWVu dAorcGFzcyBvdXQgaW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgbmVpZ2hicnNvbAor cGFzcyBpbiBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSBuZWlnaGJyYWR2CitwYXNz IG91dCBpbmV0NiBwcm90byBpY21wNiBhbGwgaWNtcDYtdHlwZSByb3V0ZXJzb2wKK3Bhc3MgaW4g aW5ldDYgcHJvdG8gaWNtcDYgYWxsIGljbXA2LXR5cGUgcm91dGVyYWR2CmRpZmYgLXJ1TiBldGMv ZGVmYXVsdHMvcmMuY29uZiBldGMubmV3L2RlZmF1bHRzL3JjLmNvbmYKLS0tIGV0Yy9kZWZhdWx0 cy9yYy5jb25mCUZyaSBGZWIgIDkgMDQ6MTE6MjcgMjAwNworKysgZXRjLm5ldy9kZWZhdWx0cy9y Yy5jb25mCVR1ZSBGZWIgMTMgMjA6MzY6MjkgMjAwNwpAQCAtMTQ1LDYgKzE0NSwxMCBAQAogcGZf cnVsZXM9Ii9ldGMvcGYuY29uZiIJCSMgcnVsZXMgZGVmaW5pdGlvbiBmaWxlIGZvciBwZgogcGZf cHJvZ3JhbT0iL3NiaW4vcGZjdGwiCSMgd2hlcmUgdGhlIHBmY3RsIHByb2dyYW0gbGl2ZXMKIHBm X2ZsYWdzPSIiCQkJIyBhZGRpdGlvbmFsIGZsYWdzIGZvciBwZmN0bAorcGZfZWFybHlfZW5hYmxl PSJZRVMiCQkjIExvYWQgbWluaW1hbCBydWxlc2V0IHdoZW4gcGZfZW5hYmxlPSJZRVMiCisJCQkJ IyBiZWZvcmUgcm91dGluZyBpcyBlbmFibGVkLCBhZnRlciB3aGljaCB0aGUgCisJCQkJIyByZWFs IHJ1bGVzZXQgd2lsbCBiZSBsb2FkZWQKK3BmX2Vhcmx5X3J1bGVzPSIvZXRjL2RlZmF1bHRzL3Bm LmVhcmx5LmNvbmYiCSMgRGVmYXVsdCBtaW5pbWFsIHJ1bGVzZXQKIHBmbG9nX2VuYWJsZT0iTk8i CQkjIFNldCB0byBZRVMgdG8gZW5hYmxlIHBhY2tldCBmaWx0ZXIgbG9nZ2luZwogcGZsb2dfbG9n ZmlsZT0iL3Zhci9sb2cvcGZsb2ciCSMgd2hlcmUgcGZsb2dkIHNob3VsZCBzdG9yZSB0aGUgbG9n ZmlsZQogcGZsb2dfcHJvZ3JhbT0iL3NiaW4vcGZsb2dkIgkjIHdoZXJlIHRoZSBwZmxvZ2QgcHJv Z3JhbSBsaXZlcwpkaWZmIC1ydU4gZXRjL3JjLmQvTWFrZWZpbGUgZXRjLm5ldy9yYy5kL01ha2Vm aWxlCi0tLSBldGMvcmMuZC9NYWtlZmlsZQlTdW4gT2N0IDE1IDA3OjE5OjA2IDIwMDYKKysrIGV0 Yy5uZXcvcmMuZC9NYWtlZmlsZQlUdWUgRmViIDEzIDIwOjQyOjA5IDIwMDcKQEAgLTI3LDcgKzI3 LDcgQEAKIAluZXR3b3JrX2lwdjYgbmV3c3lzbG9nIG5mc2NsaWVudCBuZnNkIFwKIAluZnNsb2Nr aW5nIG5mc3NlcnZlciBuaXNkb21haW4gbnNzd2l0Y2ggbnRwZCBudHBkYXRlIFwKIAlvdGhlcm10 YSBcCi0JcGYgcGZsb2cgcGZzeW5jIFwKKwlwZiBwZl9lYXJseSBwZmxvZyBwZnN5bmMgXAogCXBv d2VyZCBwb3dlcl9wcm9maWxlIHBwcCBwcHBvZWQgcHdjaGVjayBcCiAJcXVvdGEgXAogCXJhbmRv bSByYXJwZCByZXNvbHYgcm9vdCBcCmRpZmYgLXJ1TiBldGMvcmMuZC9wZiBldGMubmV3L3JjLmQv cGYKLS0tIGV0Yy9yYy5kL3BmCVN1biBEZWMgMzEgMDI6Mzc6MTggMjAwNgorKysgZXRjLm5ldy9y Yy5kL3BmCVR1ZSBGZWIgMTMgMjA6MDk6MzMgMjAwNwpAQCAtNCw4ICs0LDcgQEAKICMKIAogIyBQ Uk9WSURFOiBwZgotIyBSRVFVSVJFOiByb290IG1vdW50Y3JpdGxvY2FsIG5ldGlmIHBmbG9nIHBm c3luYwotIyBCRUZPUkU6ICByb3V0aW5nCisjIFJFUVVJUkU6IHJvb3QgbW91bnRjcml0bG9jYWwg bmV0aWYgcGZsb2cgcGZzeW5jIHBmX2Vhcmx5CiAjIEtFWVdPUkQ6IG5vamFpbAogCiAuIC9ldGMv cmMuc3VicgpkaWZmIC1ydU4gZXRjL3JjLmQvcGZfZWFybHkgZXRjLm5ldy9yYy5kL3BmX2Vhcmx5 Ci0tLSBldGMvcmMuZC9wZl9lYXJseQlXZWQgRGVjIDMxIDE2OjAwOjAwIDE5NjkKKysrIGV0Yy5u ZXcvcmMuZC9wZl9lYXJseQlUdWUgRmViIDEzIDIwOjM1OjE4IDIwMDcKQEAgLTAsMCArMSwzNCBA QAorIyEvYmluL3NoCisjCisjICRGcmVlQlNEOiBzcmMvZXRjL3JjLmQvcGZfZWFybHksdiAxLjcu Mi40IDIwMDYvMDEvMjIgMTM6NDU6MjggeWFyIEV4cCAkCisjCisKKyMgUFJPVklERTogcGZfZWFy bHkKKyMgUkVRVUlSRTogcm9vdCBtb3VudGNyaXRsb2NhbCBuZXRpZiBwZmxvZyBwZnN5bmMKKyMg QkVGT1JFOiAgcm91dGluZworIyBLRVlXT1JEOiBub2phaWwKKworLiAvZXRjL3JjLnN1YnIKKwor bmFtZT0icGZfZWFybHkiCityY3Zhcj1gc2V0X3JjdmFyYAorbG9hZF9yY19jb25maWcgJG5hbWUK K3N0YXJ0X2NtZD0icGZfZWFybHlfc3RhcnQiCitzdG9wX2NtZD0iOiIKK3JlcXVpcmVkX2ZpbGVz PSIkcGZfZWFybHlfcnVsZXMiCityZXF1aXJlZF9tb2R1bGVzPSJwZiIKKworcGZfZWFybHlfc3Rh cnQoKQoreworCWVjaG8gIkVuYWJsaW5nIG1pbmltYWwgcGYgcnVsZXNldC4iCisJJHBmX3Byb2dy YW0gLUZhbGwgPiAvZGV2L251bGwgMj4mMQorCSRwZl9wcm9ncmFtIC1mICIkcGZfZWFybHlfcnVs ZXMiCisJaWYgISAkcGZfcHJvZ3JhbSAtcyBpbmZvIHwgZ3JlcCAtcSAiRW5hYmxlZCIgOyB0aGVu CisJCSRwZl9wcm9ncmFtIC1lCisJZmkKK30KKworIyBEb24ndCBkbyBhbnl0aGluZyB1bmxlc3Mg cGZfZW5hYmxlPSJZRVMiCitpZiBjaGVja3llc25vIHBmX2VuYWJsZTsgdGhlbgorCXJ1bl9yY19j b21tYW5kICIkMSIKK2ZpCg== ------=_Part_53114_15089019.1171431433759--