pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
block in all
pass out all keep state
You need to tell it where to look for the /etc/pf.conf ruleset
pf_enable="NO" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
pflog_flags="" # additional flags for pflogd
service -e
to see a list of enabled services in the order that they will be started.# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE: routing
You can runservice -e
to see a list of enabled services in the order that they will be started.
Just as a side note, the pf script specifies this -
Code:# REQUIRE: FILESYSTEMS netif pflog pfsync # BEFORE: routing
Interestingly it specifies to start before routing services, so should be running before your system actually has a working route to the Internet.
$ service -e
/etc/rc.d/hostid
/etc/rc.d/hostid_save
/etc/rc.d/cleanvar
/etc/rc.d/ip6addrctl
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/newsyslog
/etc/rc.d/syslogd
/usr/local/etc/rc.d/microcode_update
/etc/rc.d/savecore
/etc/rc.d/dmesg
/etc/rc.d/virecover
/etc/rc.d/motd
/etc/rc.d/ntpd
/etc/rc.d/powerd
/etc/rc.d/rctl
/usr/local/etc/rc.d/dbus
/usr/local/etc/rc.d/hald
/usr/local/etc/rc.d/avahi-daemon
/etc/rc.d/sendmail
/etc/rc.d/cron
/etc/rc.d/mixer
/etc/rc.d/gptboot
/etc/rc.d/bgfsck
$
No, the rc.conf file sets variables and is included by the startup scripts. The order in which the variables are set does not affect the order in which services are started.
Thanks @Trihexagonal I set this configurations on my rc.conf and Firewall enabled successfully!bledyzer, this is what I have for my pf configuration in /etc/rc.conf:
Code:pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
bledyzer
You need to tell it where to look for the /etc/pf.conf ruleset you made which can be as simple as:
Code:block in all pass out all keep state
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state