tech-security: Re: pf doesn't start normally anymore

Subject: Re: pf doesn't start normally anymore
To: None <tech-security@NetBSD.org>
From: Peter Postma <peter@pointless.nl>
List: tech-security
Date: 08/12/2005 01:48:15
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Aug 12, 2005 at 07:12:49AM +0900, YAMAMOTO Takashi wrote:
> > I suppose
> > startup scripts could install a block all, bring up networks, and then
> > install the real ruleset.
> 
> fwiw it's similar to what openbsd does.
> 

Yes. I changed my mind now about the possible security problem and
implemented the "openbsd solution" (see pf_default attachment). It simply
adds some rules to block everything and some "pass" rules to not hinder
the network configuration.

If anyone has ideas for improvements, please let me know, otherwise I'll
commit this in a few days.

-- 
Peter Postma

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=pf_default

#!/bin/sh
#
# $NetBSD$
#

# PROVIDE: pf_default
# REQUIRE: root beforenetlkm mountcritlocal tty
# BEFORE: network

$_rc_subr_loaded . /etc/rc.subr

name="pf_default"
rcvar="pf"
start_cmd="pf_default_start"

pf_default_start()
{
	if [ "$autoboot" != "yes" ]; then
		err 1 "This script should only be executed at boot time."
	fi

	if ifconfig lo0 inet6 >/dev/null 2>&1; then inet6=1; else inet6=0; fi
	if mount | grep 'type nfs' >/dev/null 2>&1; then nfs=1; else nfs=0; fi

	awk -v "inet6=$inet6" \
	    -v "nfs=$nfs" \
	'BEGIN {
	  if (nfs) {
		print "scrub in all no-df"
	  }
	  print "block all"
	  print "pass on lo0"
	  print "pass out proto { tcp, udp } from any to any port 53 keep state"
	  print "pass out inet proto icmp all icmp-type echoreq keep state"
	  if (inet6) {
	  	print "pass out inet6 proto icmp6 all icmp6-type neighbrsol"
	  	print "pass in inet6 proto icmp6 all icmp6-type neighbradv"
	  	print "pass out inet6 proto icmp6 all icmp6-type routersol"
	  	print "pass in inet6 proto icmp6 all icmp6-type routeradv"
	  }
	  if (nfs) {
		print "pass in proto udp from any port { 111, 2049 } to any"
		print "pass out proto udp from any to any port { 111, 2049 }"
	  }
	}' | /sbin/pfctl -q -f -

	/sbin/pfctl -q -e
}

load_rc_config $name
run_rc_command "$1"

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pf.diff"

? pf_default
Index: pf
===================================================================
RCS file: /cvsroot/src/etc/rc.d/pf,v
retrieving revision 1.5
diff -u -u -r1.5 pf
--- pf	10 Aug 2005 13:52:05 -0000	1.5
+++ pf	11 Aug 2005 23:21:14 -0000
@@ -4,8 +4,8 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root beforenetlkm mountcritlocal tty
-# BEFORE: network
+# REQUIRE: root beforenetlkm mountcritlocal tty network dhclient
+# BEFORE: NETWORKING
 
 $_rc_subr_loaded . /etc/rc.subr
 
@@ -38,7 +38,12 @@
 pf_start()
 {
 	echo "Enabling pf firewall."
-	/sbin/pfctl -q -e 
+
+	# The pf_default script has enabled pf already.
+	if [ "$autoboot" != yes ]; then
+		/sbin/pfctl -q -e 
+	fi
+
 	if [ -f ${pf_rules} ]; then
 		/sbin/pfctl -q -f ${pf_rules}
 	else

--8t9RHnE3ZwKMSgU+--