pfsync rc script breaks pfsync on cloned interfaces

Dimitry Andric dimitry at andric.com
Fri Jun 26 11:58:24 UTC 2009 

On 2009-06-26 11:04, Max Laier wrote:
> I would like input about how a very simple "save default" setup could look 
> like.  A ruleset for pf or ipfw that allows most of the boot process to 
> complete without opening the host to the outside world, yet.  For extra 
> points this ruleset is aware of the rc.conf variables and adjusts 
> accordingly (e.g. opening access to sshd iff it is configured).  In 
> addition there might be *one or two* configuration variables for the early 
> stage to open additional ports or to select a default interface.  However, 
> the fewer the better.

If you look at how OpenBSD implements their /etc/rc script, you will see
it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and
(if applicable) IPv6 routing and neighbor advertisements.

Then it does the regular network setup (/etc/netstart), followed by
loading the full PF rules.

Relevant excerpt:

######################
if [ X"${pf}" != X"NO" ]; then
	RULES="block all"
	RULES="$RULES\npass on lo0"
	RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
	RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state"
	RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state"
	if ifconfig lo0 inet6 >/dev/null 2>&1; then
		RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol"
		RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
		RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
		RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
	fi
	RULES="$RULES\npass proto carp keep state (no-sync)"
	case `sysctl vfs.mounts.nfs 2>/dev/null` in
	*[1-9]*)
		# don't kill NFS
		RULES="set reassemble yes no-df\n$RULES"
		RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
		RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
		;;
	esac
	echo $RULES | pfctl -f -
	pfctl -e
fi

# Fill net.inet.(tcp|udp).baddynamic lists from /etc/services
fill_baddynamic udp
fill_baddynamic tcp

sysctl_conf

# set hostname, turn on network
echo 'starting network'
ifconfig -g carp carpdemote 128
if [ -f /etc/resolv.conf.save ]; then
	mv /etc/resolv.conf.save /etc/resolv.conf
	touch /etc/resolv.conf
fi
. /etc/netstart

if [ X"${pf}" != X"NO" ]; then
	if [ -f ${pf_rules} ]; then
		pfctl -f ${pf_rules}
	fi
	# bring up pfsync after the working ruleset has been loaded
	if [ -f /etc/hostname.pfsync0 ]; then
		. /etc/netstart pfsync0
	fi
fi
######################

Perhaps this approach can be molded into /etc/rc.d form? :)

More information about the freebsd-pf mailing list