On 2009-06-26 11:04, Max Laier wrote:
> I would like input about how a very simple "save default" setup could look
> like. A ruleset for pf or ipfw that allows most of the boot process to
> complete without opening the host to the outside world, yet. For extra
> points this ruleset is aware of the rc.conf variables and adjusts
> accordingly (e.g. opening access to sshd iff it is configured). In
> addition there might be *one or two* configuration variables for the early
> stage to open additional ports or to select a default interface. However,
> the fewer the better.
If you look at how OpenBSD implements their /etc/rc script, you will see
it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and
(if applicable) IPv6 routing and neighbor advertisements.
Then it does the regular network setup (/etc/netstart), followed by
loading the full PF rules.
Relevant excerpt:
######################
if [ X"${pf}" != X"NO" ]; then
RULES="block all"
RULES="$RULES\npass on lo0"
RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep
state"
RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
if ifconfig lo0 inet6 >/dev/null 2>&1; then
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
neighbrsol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
neighbradv"
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
routersol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
routeradv"
fi
RULES="$RULES\npass proto carp keep state (no-sync)"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*)
# don't kill NFS
RULES="set reassemble yes no-df\n$RULES"
RULES="$RULES\npass in proto { tcp, udp } from any port { 111,
2049 } to any"
RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ 111, 2049 }"
;;
esac
echo $RULES | pfctl -f -
pfctl -e
fi
# Fill net.inet.(tcp|udp).baddynamic lists from /etc/services
fill_baddynamic udp
fill_baddynamic tcp
sysctl_conf
# set hostname, turn on network
echo 'starting network'
ifconfig -g carp carpdemote 128
if [ -f /etc/resolv.conf.save ]; then
mv /etc/resolv.conf.save /etc/resolv.conf
touch /etc/resolv.conf
fi
. /etc/netstart
if [ X"${pf}" != X"NO" ]; then
if [ -f ${pf_rules} ]; then
pfctl -f ${pf_rules}
fi
# bring up pfsync after the working ruleset has been loaded
if [ -f /etc/hostname.pfsync0 ]; then
. /etc/netstart pfsync0
fi
fi
######################
Perhaps this approach can be molded into /etc/rc.d form? :)
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
