On 2009-06-26 11:04, Max Laier wrote: > I would like input about how a very simple "save default" setup could look > like. A ruleset for pf or ipfw that allows most of the boot process to > complete without opening the host to the outside world, yet. For extra > points this ruleset is aware of the rc.conf variables and adjusts > accordingly (e.g. opening access to sshd iff it is configured). In > addition there might be *one or two* configuration variables for the early > stage to open additional ports or to select a default interface. However, > the fewer the better. If you look at how OpenBSD implements their /etc/rc script, you will see it first loads a simple PF ruleset, which allows ssh, dns, icmp echo and (if applicable) IPv6 routing and neighbor advertisements. Then it does the regular network setup (/etc/netstart), followed by loading the full PF rules. Relevant excerpt: ###################### if [ X"${pf}" != X"NO" ]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port 22 keep state" RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state" RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" if ifconfig lo0 inet6 >/dev/null 2>&1; then RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv" RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv" fi RULES="$RULES\npass proto carp keep state (no-sync)" case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # don't kill NFS RULES="set reassemble yes no-df\n$RULES" RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any" RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }" ;; esac echo $RULES | pfctl -f - pfctl -e fi # Fill net.inet.(tcp|udp).baddynamic lists from /etc/services fill_baddynamic udp fill_baddynamic tcp sysctl_conf # set hostname, turn on network echo 'starting network' ifconfig -g carp carpdemote 128 if [ -f /etc/resolv.conf.save ]; then mv /etc/resolv.conf.save /etc/resolv.conf touch /etc/resolv.conf fi . /etc/netstart if [ X"${pf}" != X"NO" ]; then if [ -f ${pf_rules} ]; then pfctl -f ${pf_rules} fi # bring up pfsync after the working ruleset has been loaded if [ -f /etc/hostname.pfsync0 ]; then . /etc/netstart pfsync0 fi fi ###################### Perhaps this approach can be molded into /etc/rc.d form? :)Received on Fri Jun 26 2009 - 09:58:22 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:50 UTC