[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is a 'PF default to block' setting outside pf.conf a desirablefeature?




On 11/09/2005 02:57:08 AM, Peter N. M. Hansteen wrote:
Over in the comp.unix.bsd.freebsd.misc news group, there's a
discussion about what happens when PF loads, specifically a perceived
'window of opportunity' for an attacker in the interval between PF
getting enabled and the rule set loading, and what happens if the rule
set you load at boot time is an empty or invalid rule set.

What I decided to do is the following, which is somewhat but not entirely relevant. (I use OpenBSD & my goal is somewhat different. See 1 below) I'd appreciate any comments:

1)  Use dns names in pf.conf in place of IP numbers on the
local network, with names in the local DNS server.  I find
this much easier to maintain.  This is the goal of this
configuration.

2) Therefore, have the firewall be a dns secondary.
(Configured with a long "can't talk to the primary"
lifetime.)

3) Turn off routing (net.inet.ip.forwarding=0) in /etc/sysctl.conf.

4) Turn off the firewall (PF=NO) in /etc/rc.conf (the default IIRC.)

5) Then, in rc.local turn on routing only if the firewall successfully
loads, as follows:

# Turn the packet filter on
echo -n 'enabling packet filtering and routing:'
# net.inet.ip.forwarding=1 means permit forwarding (routing) of packets
pfctl -ef /etc/pf.conf \
&& echo -n ' pf' \
&& sysctl -w net.inet.ip.forwarding=1 \
&& echo -n ' forwarding' \
|| logger -s -t rc.local -p kern.alert "$?: packet filter and routing initialization failed"
echo


One issue is that there is no firewall for the firewall itself
until routing is turned on.  For me this is not a problem
as the firewall runs no services (but ssh.)  The solution,
as in the responses above by Jon Hart and Nick Holland, is
to have a very simple "block lots of stuff" default pf.conf
and have it load on boot.

Now, if your primary dns goes down for a very long time, your firewall
won't reboot.  But then you've got other problems anyway.

If people don't find any problems with this config, it's so
handy to be able to use DNS names in the config file that
I'd like to see this included somewhere in the pf FAQ.

Karl <[email protected]>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein