Date: Fri, 16 Feb 2007 22:11:03 +0300 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Max Laier <max@love2party.net> Cc: freebsd-rc@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <20070216191103.GB64983@comp.chem.msu.su> In-Reply-To: <200702132226.40415.max@love2party.net> References: <45CDED58.2056.1A642A00@dan.langille.org> <45D1B27B.5615.291E28A7@dan.langille.org> <Pine.NEB.4.64.0702131407110.815@glacier.reedmedia.net> <200702132226.40415.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 13, 2007 at 10:26:31PM +0100, Max Laier wrote:
> Does anyone have time to get something like this going for FreeBSD as
> well?
IMHO it's a restricted solution to a more general problem. Other
firewall types can suffer from it, too. While there is no single
cure for using DNS names in firewall rules, the problem of cloned
interfaces is common. Once I thought of a sysctl with the following
semantics: 0 (default) means just drop any network traffic, 1 means
process it as usual. Then a host could set up all its interfaces
first, still being immune to attacks, then load firewall rules, and
finally enable the network stack. Am I delirious? :-)
> On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote:
> > > > One possible sollution that has been suggested would be to use a
> > > > simple deny all but ssh/dns ruleset in the first stage and load the
> > > > real ruleset once all interfaces are there and the resolver is
> > > > working. I'm willing to commit patches, though this is probably
> > > > something best discussed on freebsd-rc@
> >
> > By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot
> > that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or
> > /etc/defaults/pf.boot.conf which contains:
> >
> > # Default deny.
> > block all
> >
> > # Don't block loopback.
> > pass on lo0
> >
> > # Allow outgoing dns, needed by pfctl to resolve names.
> > pass out proto { tcp, udp } from any to any port 53 keep state
> >
> > # Allow outgoing ping request, might be needed by dhclient to validate
> > # old (but valid) leases in /var/db/dhclient.leases in case it needs to
> > # fall back to such a lease (the dhcp server can be down or not
> > responding).
> > pass out inet proto icmp all icmp-type echoreq keep state
> >
> > # Allow IPv6 router/neighbor solicitation and advertisement.
> > pass out inet6 proto icmp6 all icmp6-type neighbrsol
> > pass in inet6 proto icmp6 all icmp6-type neighbradv
> > pass out inet6 proto icmp6 all icmp6-type routersol
> > pass in inet6 proto icmp6 all icmp6-type routeradv
> >
> >
> > The regular /etc/rc.d/pf requires networking to be done first.
> >
> > On OpenBSD, it loads rules like:
> >
> > block all
> > pass on lo0
> > pass in proto tcp from any to any port 22 keep state
> > pass out proto { tcp, udp } from any to any port 53 keep state
> > pass out inet proto icmp all icmp-type echoreq keep state
> > pass out inet6 proto icmp6 all icmp6-type neighbrsol
> > pass in inet6 proto icmp6 all icmp6-type neighbradv
> > pass out inet6 proto icmp6 all icmp6-type routersol
> > pass in inet6 proto icmp6 all icmp6-type routeradv
> > pass proto { pfsync, carp }
> > scrub in all no-df
> > pass in proto udp from any port { 111, 2049 } to any
> > pass out proto udp from any to any port { 111, 2049 }
> >
> > (Note it only loads some of these if the inet6 and if NFS is enabled.)
>
> --
> /"\ Best regards, | mlaier@freebsd.org
> \ / Max Laier | ICQ #67774661
> X http://pf4freebsd.love2party.net/ | mlaier@EFnet
> / \ ASCII Ribbon Campaign | Against HTML Mail and News
--
Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070216191103.GB64983>