PF Make sense enable PF Firewall on begin rc.conf?

Hi Partners!

I started using pf firewall on my FreeBSD desktop, and my question is about the services on /etc/rc.conf file, The services start in sequence? Therefore make sense for security propose set a pf_enable="YES" on begin of file? Before others services on system?

rc-file.png
 
No, the rc.conf file sets variables and is included by the startup scripts. The order in which the variables are set does not affect the order in which services are started.
 
bledyzer, this is what I have for my pf configuration in /etc/rc.conf:

Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

You need to tell it where to look for the /etc/pf.conf ruleset you made which can be as simple as:

Code:
block in all
pass out all keep state
 
You need to tell it where to look for the /etc/pf.conf ruleset

/etc/defaults/rc.conf
Code:
pf_enable="NO"                  # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_program="/sbin/pfctl"        # where the pfctl program lives
pf_flags=""                     # additional flags for pfctl
pflog_enable="NO"               # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_program="/sbin/pflogd"    # where the pflogd program lives
pflog_flags=""                  # additional flags for pflogd

Everything you have specified in your rc.conf is a default setting anyway (apart from enable). You don't need to set anything unless you want to change it, so you only need the enable lines.

As mentioned, the order in rc.conf is irrelevant. The scripts that start each service specify what other services they depend on, and the rc system works out the startup order from that. You can run service -e to see a list of enabled services in the order that they will be started.

Just as a side note, the pf script specifies this -
Code:
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing

Interestingly it specifies to start before routing services, so should be running before your system actually has a working route to the Internet.
 
You can run service -e to see a list of enabled services in the order that they will be started.

Just as a side note, the pf script specifies this -
Code:
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing

Interestingly it specifies to start before routing services, so should be running before your system actually has a working route to the Internet.

It looks like Internet service is started before pf on mine:

Code:
$ service -e
/etc/rc.d/hostid
/etc/rc.d/hostid_save
/etc/rc.d/cleanvar
/etc/rc.d/ip6addrctl
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/newsyslog
/etc/rc.d/syslogd
/usr/local/etc/rc.d/microcode_update
/etc/rc.d/savecore
/etc/rc.d/dmesg
/etc/rc.d/virecover
/etc/rc.d/motd
/etc/rc.d/ntpd
/etc/rc.d/powerd
/etc/rc.d/rctl
/usr/local/etc/rc.d/dbus
/usr/local/etc/rc.d/hald
/usr/local/etc/rc.d/avahi-daemon
/etc/rc.d/sendmail
/etc/rc.d/cron
/etc/rc.d/mixer
/etc/rc.d/gptboot
/etc/rc.d/bgfsck
$
 
bledyzer, this is what I have for my pf configuration in /etc/rc.conf:

Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
Thanks @Trihexagonal I set this configurations on my rc.conf and Firewall enabled successfully!

bledyzer
You need to tell it where to look for the /etc/pf.conf ruleset you made which can be as simple as:

Code:
block in all
pass out all keep state

ok, I'm test some basic rules in this moment for understand PF features, what exactly this rules make?
 
That is a basic pf ruleset that only allows inbound traffic if it is in response to outbound. Stateful Packet Inspection, or SPI, plays that role. If you don't have a need for specific rules that ruleset will work on my desktops for as long as it takes to install my own if it takes days. People might some of my rules excessive or not needed, but it makes me happy. I know ports can be listed as 512-515, it's more orderly to me like it is. Here's mine as an example you can reference:

Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
 
Back
Top