I've tried every solution I could find on the forums and elsewhere, but I can't seem to get my firewall rules to load properly at boot. What's scary is I just noticed this. It's somehow related to the way interfaces come up. For example, I have FreeBSD 12.1 running on Vultr and pf is running, but the rules aren't loaded on the interface. Notice the difference of output in running
After
This is just a simple web server with nothing complicated going on. In fact, it's pretty bare at this time. I've looked at these posts:
I don't have domain names being resolved in my pf.conf. Here are my rc.conf and pf.conf files (with IP addresses removed)
rc.conf:
pf.conf
What's keeping PF firewall rules from being properly applied to my interface at boot time? I also tried modifying my rules to not include vtnet0 anywhere and that didn't seem to work either. Seriously considering trying IPFW if there isn't a solution to this.
service pf status
before/after a reload after a reboot:
Code:
Status: Enabled for 0 days 00:00:31 Debug: Urgent
State Table Total Rate
current entries 0
searches 182 5.9/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 182 5.9/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
Status: Enabled for 0 days 00:00:31 Debug: Urgent
State Table Total Rate
current entries 0
searches 182 5.9/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 182 5.9/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
After
Code:
Status: Enabled for 0 days 00:00:54 Debug: Urgent
Interface Stats for vtnet0 IPv4 IPv6
Bytes In 24582 528
Bytes Out 38663 528
Packets In
Passed 266 6
Blocked 1 0
Packets Out
Passed 311 7
Blocked 7 0
State Table Total Rate
current entries 1
searches 598 11.1/s
inserts 1 0.0/s
removals 0 0.0/s
Counters
match 469 8.7/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
This is just a simple web server with nothing complicated going on. In fact, it's pretty bare at this time. I've looked at these posts:
Solved - openvpn and pf at startup
Hi all, In my /etc/rc.conf I launch several instances of security/openvpn at startup. For some reason, a vpn session can then be initiated by a client, but no traffic is passed through until I manually reload the PF rule set by running pfctl -vf /etc/pf.conf. Just a wild guess, but I am...
forums.freebsd.org
PF - PF doesn't load at startup time in FreeBSD 10.1
Hi, I have a problem with my PF it seems after all verification made with pfctl -vnf /etc/pf.conf NOT with the rulesets but number of tables and the size of it. Can be adjusted this situation? I can't control the size of tables for zones because are country based IP net blocks. So first I...
forums.freebsd.org
PF - Why my pf would not load on boot
Total head-smacker, but for posterity (and for the next poor sap googling "pf won't start at boot") Do not use hostnames in your pf.conf or any tables loaded by your configuration. While it is not invalid, and will work just fine with a pfctl -nf /etc/pf.conf check of the syntax or a pfctl -f...
forums.freebsd.org
I don't have domain names being resolved in my pf.conf. Here are my rc.conf and pf.conf files (with IP addresses removed)
rc.conf:
Code:
hostname="example.com"
sshd_enable="YES"
ntpd_enable="YES"
static_routes="linklocal"
ifconfig_vtnet0="DHCP"
ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-aF"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
# Caddy webserver
caddy_enable="YES"
caddy_cert_email="admin@example.com"
caddy_config_path="/usr/local/etc/caddy/Caddyfile"
caddy_options="-disable-tls-alpn-challenge"
pf.conf
Code:
## External interface
## Set and drop these IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
## Set http(80)/https (443) port here ##
webports = "{http, https}"
## enable these services ##
int_tcp_services = "{domain, ntp, www, https, ssh}"
int_udp_services = "{domain, ntp}"
## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface vtnet0
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
## Set default policy ##
block return in log all
block out all
# Drop all Non-Routable Addresses
block drop in quick on vtnet0 from $martians to any
block drop out quick on vtnet0 from any to $martians
# spoofing protection on all interfaces
block in quick from urpf-failed
## Blocking spoofed packets
antispoof quick for vtnet0
antispoof quick for vtnet0 inet6
# IMCPv6 traffic
pass in quick proto icmp6 all
## Use the following rule to enable ssh for ALL users from any IP address #
pass in inet proto tcp to vtnet0 port ssh
# Allow ping
pass inet proto icmp icmp-type echoreq
# Allow access to webserver
pass proto tcp from any to vtnet0 port $webports
# Allow essential outgoing traffic
pass out quick on vtnet0 proto tcp to any port $int_tcp_services
pass out quick on vtnet0 proto udp to any port $int_udp_services
### IPv6
pass out on vtnet0 inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on vtnet0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on vtnet0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# Router advertisement out
pass out on vtnet0 inet6 proto icmp6 all icmp6-type routeradv
# Router solicitation in
pass in on vtnet0 inet6 proto icmp6 all icmp6-type routersol
# Allow Ping pong in
pass in on vtnet0 inet6 proto icmp6 all icmp6-type echoreq
What's keeping PF firewall rules from being properly applied to my interface at boot time? I also tried modifying my rules to not include vtnet0 anywhere and that didn't seem to work either. Seriously considering trying IPFW if there isn't a solution to this.