pf starts, but no rules

Max Laier max at love2party.net
Tue Feb 13 21:26:50 UTC 2007 

Does anyone have time to get something like this going for FreeBSD as 
well?

On Tuesday 13 February 2007 21:07, Jeremy C. Reed wrote:
> > > One possible sollution that has been suggested would be to use a
> > > simple deny all but ssh/dns ruleset in the first stage and load the
> > > real ruleset once all interfaces are there and the resolver is
> > > working.  I'm willing to commit patches, though this is probably
> > > something best discussed on freebsd-rc@
>
> By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot
> that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or
> /etc/defaults/pf.boot.conf which contains:
>
> # Default deny.
> block all
>
> # Don't block loopback.
> pass on lo0
>
> # Allow outgoing dns, needed by pfctl to resolve names.
> pass out proto { tcp, udp } from any to any port 53 keep state
>
> # Allow outgoing ping request, might be needed by dhclient to validate
> # old (but valid) leases in /var/db/dhclient.leases in case it needs to
> # fall back to such a lease (the dhcp server can be down or not
> responding).
> pass out inet proto icmp all icmp-type echoreq keep state
>
> # Allow IPv6 router/neighbor solicitation and advertisement.
> pass out inet6 proto icmp6 all icmp6-type neighbrsol
> pass in inet6 proto icmp6 all icmp6-type neighbradv
> pass out inet6 proto icmp6 all icmp6-type routersol
> pass in inet6 proto icmp6 all icmp6-type routeradv
>
>
> The regular /etc/rc.d/pf requires networking to be done first.
>
> On OpenBSD, it loads rules like:
>
> block all
> pass on lo0
> pass in proto tcp from any to any port 22 keep state
> pass out proto { tcp, udp } from any to any port 53 keep state
> pass out inet proto icmp all icmp-type echoreq keep state
> pass out inet6 proto icmp6 all icmp6-type neighbrsol
> pass in inet6 proto icmp6 all icmp6-type neighbradv
> pass out inet6 proto icmp6 all icmp6-type routersol
> pass in inet6 proto icmp6 all icmp6-type routeradv
> pass proto { pfsync, carp }
> scrub in all no-df
> pass in proto udp from any port { 111, 2049 } to any
> pass out proto udp from any to any port { 111, 2049 }
>
> (Note it only loads some of these if the inet6 and if NFS is enabled.)

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070213/5490fde4/attachment.pgp

More information about the freebsd-pf mailing list