pf starts, but no rules

[Jeremy C. Reed]

> > One possible sollution that has been suggested would be to use a simple 
> > deny all but ssh/dns ruleset in the first stage and load the real ruleset 
> > once all interfaces are there and the resolver is working.  I'm willing 
> > to commit patches, though this is probably something best discussed on 
> > freebsd-rc@

By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot 
that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or 
/etc/defaults/pf.boot.conf which contains:

# Default deny.
block all

# Don't block loopback.
pass on lo0

# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state

# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not 
responding).
pass out inet proto icmp all icmp-type echoreq keep state

# Allow IPv6 router/neighbor solicitation and advertisement.
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv


The regular /etc/rc.d/pf requires networking to be done first.

On OpenBSD, it loads rules like:

block all 
pass on lo0 
pass in proto tcp from any to any port 22 keep state 
pass out proto { tcp, udp } from any to any port 53 keep state 
pass out inet proto icmp all icmp-type echoreq keep state 
pass out inet6 proto icmp6 all icmp6-type neighbrsol 
pass in inet6 proto icmp6 all icmp6-type neighbradv 
pass out inet6 proto icmp6 all icmp6-type routersol 
pass in inet6 proto icmp6 all icmp6-type routeradv 
pass proto { pfsync, carp } 
scrub in all no-df
pass in proto udp from any port { 111, 2049 } to any 
pass out proto udp from any to any port { 111, 2049 } 

(Note it only loads some of these if the inet6 and if NFS is enabled.)


  Jeremy C. Reed