Subject: initial pf configuration
To: None <tech-security@NetBSD.org>
From: Peter Postma <peter@pointless.nl>
List: tech-security
Date: 08/18/2005 00:20:02
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi,
I've made a solution for pf(4) startup and the possible security problems.
(see recent discussion, subject "pf doesn't start normally anymore") and
implemented pf.boot.conf, as suggested by YAMAMOTO Takashi.
Attached are the new files and diffs. I'm planning to commit this next
week if there are no complaints.
--
Peter Postma
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pfboot.new"
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# etc/rc.d/pf_boot
# usr.sbin/pf/etc/defaults/Makefile
# usr.sbin/pf/etc/defaults/pf.boot.conf
# usr.sbin/pf/man/man5/pf.boot.conf.5
#
echo x - etc/rc.d/pf_boot
sed 's/^X//' >etc/rc.d/pf_boot << 'END-of-etc/rc.d/pf_boot'
X#!/bin/sh
X#
X# $NetBSD$
X#
X
X# PROVIDE: pf_boot
X# REQUIRE: root beforenetlkm mountcritlocal tty
X# BEFORE: network
X
X$_rc_subr_loaded . /etc/rc.subr
X
Xname="pf_boot"
Xrcvar="pf"
Xstart_cmd="pf_boot_start"
Xstop_cmd=":"
X
Xpf_boot_start()
X{
X if [ "$autoboot" != "yes" ]; then
X err 1 "This script should only be executed at boot time."
X fi
X
X if [ -f /etc/pf.boot.conf ]; then
X /sbin/pfctl -q -f /etc/pf.boot.conf
X elif [ -f /etc/defaults/pf.boot.conf ]; then
X /sbin/pfctl -q -f /etc/defaults/pf.boot.conf
X else
X warn "can't load initial pf rules; pf start aborted."
X echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
X kill -TERM $$
X exit 1
X fi
X
X /sbin/pfctl -q -e
X}
X
Xload_rc_config $name
Xrun_rc_command "$1"
END-of-etc/rc.d/pf_boot
echo x - usr.sbin/pf/etc/defaults/Makefile
sed 's/^X//' >usr.sbin/pf/etc/defaults/Makefile << 'END-of-usr.sbin/pf/etc/defaults/Makefile'
X# $NetBSD$
X
X.include <bsd.own.mk>
X
XFILESDIR= /etc/defaults
XFILESMODE= 644
X
XCONFIGFILES= pf.boot.conf
X
X.include <bsd.prog.mk>
END-of-usr.sbin/pf/etc/defaults/Makefile
echo x - usr.sbin/pf/etc/defaults/pf.boot.conf
sed 's/^X//' >usr.sbin/pf/etc/defaults/pf.boot.conf << 'END-of-usr.sbin/pf/etc/defaults/pf.boot.conf'
X# $NetBSD$
X#
X# /etc/defaults/pf.boot.conf --
X# initial configuration for pf(4)
X#
X# see pf.boot.conf(5) for more information.
X#
X# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
X# EDIT /etc/pf.boot.conf INSTEAD.
X#
X
X# Default deny.
Xblock all
X
X# Don't block loopback.
Xpass on lo0
X
X# Allow outgoing dns, needed by pfctl to resolve names.
Xpass out proto { tcp, udp } from any to any port 53 keep state
X
X# Allow outgoing ping request, might be needed by dhclient to validate
X# old (but valid) leases in /var/db/dhclient.leases in case it needs to
X# fall back to such a lease (the dhcp server can be down or not responding).
Xpass out inet proto icmp all icmp-type echoreq keep state
X
X# Allow IPv6 router/neighbor sollicitation and advertisement.
Xpass out inet6 proto icmp6 all icmp6-type neighbrsol
Xpass in inet6 proto icmp6 all icmp6-type neighbradv
Xpass out inet6 proto icmp6 all icmp6-type routersol
Xpass in inet6 proto icmp6 all icmp6-type routeradv
END-of-usr.sbin/pf/etc/defaults/pf.boot.conf
echo x - usr.sbin/pf/man/man5/pf.boot.conf.5
sed 's/^X//' >usr.sbin/pf/man/man5/pf.boot.conf.5 << 'END-of-usr.sbin/pf/man/man5/pf.boot.conf.5'
X.\" $NetBSD$
X.\"
X.\" Copyright (c) 2005 Peter Postma <peter@NetBSD.org>
X.\" All rights reserved.
X.\"
X.\" Redistribution and use in source and binary forms, with or without
X.\" modification, are permitted provided that the following conditions
X.\" are met:
X.\" 1. Redistributions of source code must retain the above copyright
X.\" notice, this list of conditions and the following disclaimer.
X.\" 2. Redistributions in binary form must reproduce the above copyright
X.\" notice, this list of conditions and the following disclaimer in the
X.\" documentation and/or other materials provided with the distribution.
X.\"
X.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X.\" SUCH DAMAGE.
X.\"
X.Dd August 17, 2005
X.Dt PF.BOOT.CONF 5
X.Os
X.Sh NAME
X.Nm pf.boot.conf
X.Nd initial configuration for packet filter
X.Sh DESCRIPTION
XThe
X.Nm
Xfile is used as initial configuration for the
X.Xr pf 4
Xpacket filter.
XThis file is loaded before the network is configured by the
X.Xr rc.d 8
Xscript
X.Em network .
XIts purpose is to protect the machine from possible attacks between
Xthe network configuration and the loading of the final ruleset.
X.Pp
XThe syntax of this file is described in
X.Xr pf.conf 5 .
X.Pp
XNote that at the stage the configuration is loaded, the network
Xinterface(s) do not have an IP address yet, so you
X.Em cannot
Xuse rules that derive addresses from an interface (for example:
X.Dq pass out from any to fxp0 ) .
X.Sh FILES
X.Bl -tag -width "/etc/defaults/pf.boot.conf" -compact
X.It Pa /etc/defaults/pf.boot.conf
XDefault initial ruleset file.
X.It Pa /etc/pf.boot.conf
XOverride of the default initial ruleset file.
X.El
X.Sh EXAMPLES
XWhen using NFS (e.g. diskless situations), you'll also need the following
Xrules in addition to the default rules to unblock NFS:
X.Bd -literal -offset indent
Xscrub in all no-df
Xpass in proto udp from any port { 111, 2049 } to any
Xpass out proto udp from any to any port { 111, 2049 }
X.Ed
X.Sh SEE ALSO
X.Xr pf 4 ,
X.Xr pf.conf 5 ,
X.Xr pfctl 8
END-of-usr.sbin/pf/man/man5/pf.boot.conf.5
exit
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pfboot.diff"
Index: etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.88
diff -u -r1.88 special
--- etc/mtree/special 27 Jun 2005 20:32:40 -0000 1.88
+++ etc/mtree/special 17 Aug 2005 21:51:18 -0000
@@ -201,6 +201,9 @@
./etc/rc.d/nfslocking type=file mode=0555
./etc/rc.d/ntpd type=file mode=0555
./etc/rc.d/ntpdate type=file mode=0555
+./etc/rc.d/pf type=file mode=0555
+./etc/rc.d/pf_boot type=file mode=0555
+./etc/rc.d/pflogd type=file mode=0555
./etc/rc.d/poffd type=file mode=0555
./etc/rc.d/postfix type=file mode=0555
./etc/rc.d/powerd type=file mode=0555
Index: etc/rc.d/Makefile
===================================================================
RCS file: /cvsroot/src/etc/rc.d/Makefile,v
retrieving revision 1.51
diff -u -r1.51 Makefile
--- etc/rc.d/Makefile 4 Aug 2005 22:32:44 -0000 1.51
+++ etc/rc.d/Makefile 17 Aug 2005 21:51:19 -0000
@@ -17,7 +17,7 @@
mixerctl mopd motd mountall mountcritlocal mountcritremote mountd \
moused mrouted \
named ndbootd network newsyslog nfsd nfslocking ntpd ntpdate \
- pf pflogd poffd postfix powerd ppp pwcheck quota \
+ pf pf_boot pflogd poffd postfix powerd ppp pwcheck quota \
racoon rpcbind raidframe raidframeparity rarpd rbootd root \
route6d routed rtadvd rtclocaltime rtsold rwho \
savecore screenblank sendmail securelevel smmsp sshd \
Index: etc/rc.d/pf
===================================================================
RCS file: /cvsroot/src/etc/rc.d/pf,v
retrieving revision 1.5
diff -u -r1.5 pf
--- etc/rc.d/pf 10 Aug 2005 13:52:05 -0000 1.5
+++ etc/rc.d/pf 17 Aug 2005 21:51:19 -0000
@@ -4,8 +4,8 @@
#
# PROVIDE: pf
-# REQUIRE: root beforenetlkm mountcritlocal tty
-# BEFORE: network
+# REQUIRE: root beforenetlkm mountcritlocal tty network dhclient
+# BEFORE: NETWORKING
$_rc_subr_loaded . /etc/rc.subr
@@ -38,7 +38,12 @@
pf_start()
{
echo "Enabling pf firewall."
- /sbin/pfctl -q -e
+
+ # The pf_boot script has enabled pf already.
+ if [ "$autoboot" != yes ]; then
+ /sbin/pfctl -q -e
+ fi
+
if [ -f ${pf_rules} ]; then
/sbin/pfctl -q -f ${pf_rules}
else
Index: usr.sbin/pf/Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/pf/Makefile,v
retrieving revision 1.6
diff -u -r1.6 Makefile
--- usr.sbin/pf/Makefile 27 Jun 2005 20:32:40 -0000 1.6
+++ usr.sbin/pf/Makefile 17 Aug 2005 21:51:19 -0000
@@ -15,5 +15,6 @@
configinstall:
${MAKEDIRTARGET} etc configinstall
+ ${MAKEDIRTARGET} etc/defaults configinstall
.include <bsd.subdir.mk>
Index: usr.sbin/pf/man/man5/Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/pf/man/man5/Makefile,v
retrieving revision 1.4
diff -u -r1.4 Makefile
--- usr.sbin/pf/man/man5/Makefile 27 Jun 2005 20:32:40 -0000 1.4
+++ usr.sbin/pf/man/man5/Makefile 17 Aug 2005 21:51:19 -0000
@@ -4,6 +4,7 @@
.PATH: ${NETBSDSRCDIR}/dist/pf/share/man/man5
+MAN+= pf.boot.conf.5
MAN+= pf.conf.5
MAN+= pf.os.5
Index: usr.sbin/postinstall/postinstall
===================================================================
RCS file: /cvsroot/src/usr.sbin/postinstall/postinstall,v
retrieving revision 1.3
diff -u -r1.3 postinstall
--- usr.sbin/postinstall/postinstall 26 Apr 2005 01:07:35 -0000 1.3
+++ usr.sbin/postinstall/postinstall 17 Aug 2005 21:51:19 -0000
@@ -499,6 +499,9 @@
compare_dir $1 ${SRC_DIR}/etc/defaults ${DEST_DIR}/etc/defaults 444 \
daily.conf monthly.conf rc.conf security.conf weekly.conf
+
+ compare_dir $1 ${SRC_DIR}/usr.sbin/pf/etc/defaults \
+ ${DEST_DIR}/etc/defaults 444 pf.boot.conf
}
#
@@ -572,8 +575,9 @@
kdc ldconfig lkm1 lkm2 lkm3 local lpd mopd motd \
mountall mountcritlocal mountcritremote mountd moused \
mrouted mixerctl named ndbootd network newsyslog nfsd \
- nfslocking ntpd ntpdate pf pflogd poffd postfix powerd ppp \
- pwcheck quota racoon rpcbind raidframe raidframeparity rarpd \
+ nfslocking ntpd ntpdate pf pf_boot pflogd poffd postfix \
+ powerd ppp pwcheck \
+ quota racoon rpcbind raidframe raidframeparity rarpd \
rbootd root route6d routed rtadvd rtclocaltime rtsold rwho \
savecore screenblank sendmail securelevel smmsp sshd \
staticroute swap1 swap2 sysdb sysctl syslogd timed tpctl ttys \
--SUOF0GtieIMvvwua--