Re: Exposing the rc(8) constructed pf ruleset, some patches

Karl O. Pinc Mon, 19 Oct 2015 09:21:14 -0700

Well, since there's no attachments,
I am including the patches inline.

On Mon, 19 Oct 2015 10:27:16 -0500
"Karl O. Pinc" <[email protected]> wrote:


> Attached are 3 patches to -current for your
> consideration.  Apply with:
> 
>   cd /usr/src
>   patch -p1 ...
> 
> The first, expose-default-pf-rules.patch, lets
> the sysadm use the rc(8) constructed default pf
> ruleset.  This ability was, in a sense,
> compromised when 5.8 eliminated the pf_rules
> variable from rc.conf(8).

> The supplied patch allows the rc.conf(8) pf
> variable to be set to MINIMAL (in addition to
> the current YES and NO).  A setting of MINIMAL
> loads the rc(8) default pf ruleset and enables
> pf.  MINIMAL means that rc(8) does not load
> /etc/pf.conf.  Any loading of /etc/pf.conf
> is left to the sysadm.
> 

-----------------<snip>-----------------------
diff -ru old/etc/rc new/etc/rc
--- old/etc/rc  2015-10-18 18:48:00.563999219 -0500
+++ new/etc/rc  2015-10-18 23:32:20.084680681 -0500
@@ -329,7 +329,7 @@
 
 # Load pf rules and bring up pfsync interface.
 if [[ $pf != NO ]]; then
-       if [[ -f /etc/pf.conf ]]; then
+       if [[ $pf != MINIMAL && -f /etc/pf.conf ]]; then
                pfctl -f /etc/pf.conf
        fi
        if [[ -f /etc/hostname.pfsync0 ]]; then
diff -ru old/usr/share/man8/rc.conf.8 new/usr/share/man8/rc.conf.8
--- old/usr/share/man8/rc.conf.8        2015-10-18 18:52:15.094082040 -0500
+++ new/usr/share/man8/rc.conf.8        2015-10-19 09:56:04.757154333 -0500
@@ -187,6 +187,19 @@
 .Xr spamd-setup 8 .
 .El
 .Pp
+.Cm pf
+may also be set to
+.Cm MINIMAL .
+This enables
+.Xr pf 4
+packet filtering and, instead of loading the
+.Pa /etc/pf.conf
+ruleset, retains the ruleset defined in
+.Xr rc 8
+by the
+.Va RULES
+variable.
+.Pp
 .Sy Auxiliary
 configuration variables mostly determine
 the locations of specific configuration files.
-----------------<snip>-----------------------

> The 2nd patch, rc-RULES-doc.patch, documents
> the default pf ruleset in the rc(8) man page.

-----------------<snip>-----------------------
diff -ru old/usr/share/man8/rc.8 new/usr/share/man8/rc.8
--- old/usr/share/man8/rc.8     2015-10-18 18:51:57.794484223 -0500
+++ new/usr/share/man8/rc.8     2015-10-19 09:49:33.190198395 -0500
@@ -156,6 +156,19 @@
 .Nm rc ,
 but this time without performing the file system preen.
 .Pp
+.Nm rc
+defines a set of minimal packet filter rules in it's
+.Va RULES
+variable, used when the
+.Xr pf 4
+packet filter is enabled but before
+.Pa /etc/pf.conf
+is loaded.  These rules deny all traffic except that
+necessary for inbound SSH connections, outbound ICMP ECHO_REQUEST
+datagrams and their returning ECHO_REPLY datagrams, DHCP and BOOTP
+client configuration, CARP synchronization and, if needed, NFS mounts
+of remote file systems.
+.Pp
 Before
 .Nm rc
 starts most system daemons,
-----------------<snip>-----------------------

> The 3rd patch, rc-RULES-doc-fix.patch, eliminates
> the mention of the RULES variable in rc(8) from
> the man pages.  

-----------------<snip>-----------------------
diff -ru new/sbin/pfctl/pfctl.8 newer/sbin/pfctl/pfctl.8
--- new/sbin/pfctl/pfctl.8      2015-10-18 20:27:07.621084480 -0500
+++ newer/sbin/pfctl/pfctl.8    2015-10-19 10:12:20.638745856 -0500
@@ -98,9 +98,7 @@
 be unable to load a ruleset,
 an error occurs and the original ruleset remains in place.
 If this happens at system startup,
-the ruleset defined by the
-.Va RULES
-variable in
+the minimal ruleset constructed by
 .Xr rc 8
 remains in place.
 .Pp
diff -ru new/usr/share/man8/rc.8 newer/usr/share/man8/rc.8
--- new/usr/share/man8/rc.8     2015-10-19 09:49:33.190198395 -0500
+++ newer/usr/share/man8/rc.8   2015-10-19 10:11:50.091443657 -0500
@@ -156,12 +156,11 @@
 .Nm rc ,
 but this time without performing the file system preen.
 .Pp
-.Nm rc
-defines a set of minimal packet filter rules in it's
-.Va RULES
-variable, used when the
+If the
 .Xr pf 4
-packet filter is enabled but before
+packet filter is enabled
+.Nm rc
+constructs a minimal set of rules for use until
 .Pa /etc/pf.conf
 is loaded.  These rules deny all traffic except that
 necessary for inbound SSH connections, outbound ICMP ECHO_REQUEST
diff -ru new/usr/share/man8/rc.conf.8 newer/usr/share/man8/rc.conf.8
--- new/usr/share/man8/rc.conf.8        2015-10-19 09:56:04.757154333 -0500
+++ newer/usr/share/man8/rc.conf.8      2015-10-19 10:12:03.667133799 -0500
@@ -192,13 +192,10 @@
 .Cm MINIMAL .
 This enables
 .Xr pf 4
-packet filtering and, instead of loading the
-.Pa /etc/pf.conf
-ruleset, retains the ruleset defined in
-.Xr rc 8
-by the
-.Va RULES
-variable.
+packet filtering and retains the ruleset constructed by
+.Xr rc 8 ,
+instead of loading
+.Pa /etc/pf.conf .
 .Pp
 .Sy Auxiliary
 configuration variables mostly determine
-----------------<snip>-----------------------




Karl <[email protected]>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Re: Exposing the rc(8) constructed pf ruleset, some patches

Reply via email to