PDA

View Full Version : PF flags at boot time

Seeker
August 7th, 2009, 15:14
pf_enable="YES"
#Remove each blacklisted IP after 24 hours
pf_flags="-t ssh_bruteforcers -T expire 86400"
pflog_enable="YES"
in /etc/rc.conf
results in:
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
usage: pfctl [-AdeghmNnOqRrvz]
[-a anchor] [-D macro=value] [-F modifier]
[-f file] [-i interface] [-K host | network]
[-k host | network ]
[-o [level]] [-p device] [-s modifier ]
[-t table -T command [address ...]] [-x level]
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
at the boot time, with NO rules loaded from: /etc/pf.conf
and NO logging occurs.

What am I doing wrong with pf_flags??
Now they are commented out and all is well.
DutchDaemon
August 7th, 2009, 15:32
I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.

If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.
Seeker
August 7th, 2009, 16:29
I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.
pf_flags (str) If pf_enable is set to ``YES'', these flags are passed
to the pfctl(8) program when loading the ruleset.
This indicates that all fags, mentioned in man page, for pfctl command can be passed to it.

But why I couldn't then find, a special alert and list of allowed flags for pf_flags in rc.conf??

That is a very strange!
Do you know where is that list? Link?

If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.

That shall be last solution if pf_flags fail.
DutchDaemon
August 7th, 2009, 16:41
If you look in the actual start-up file for pf (/etc/rc.d/pf) you will see that only a select set of flags is actually valid on the command line:

pf_program -f "$pf_rules" $pf_flags
which usually translates to
/sbin/pfctl -f /etc/pf.conf -otherflags

The -t flag is totally out of place there, so it throws an error.

In other words: only flags that make sense when loading the ruleset together with the -f flag (like -d, probably) are honoured here.

I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.
Seeker
August 7th, 2009, 18:27
Thanks for an explanation. ;)
I'll go for a cron's @reboot feature.

I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.

Well this is a security related software that is integrated in FB.
So this flaw can not be tolerated, as it can for ports, etc.

My firewall was down because of this for 18 hours.

Now I have a fun, breaking my head, is my system compromised or not. :P