PF flags at boot time

Seeker

Seeker

Code: 
pf_enable="YES"
#Remove each blacklisted IP after 24 hours
pf_flags="-t ssh_bruteforcers -T expire 86400"
pflog_enable="YES"
in /etc/rc.conf
results in:
Code: 
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
usage: pfctl [-AdeghmNnOqRrvz]
[-a anchor] [-D macro=value] [-F modifier]
        [-f file] [-i interface] [-K host | network]
[-k host | network ]
        [-o [level]] [-p device] [-s modifier ]
        [-t table -T command [address ...]] [-x level]
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
at the boot time, with NO rules loaded from: /etc/pf.conf
and NO logging occurs.

What am I doing wrong with pf_flags??
Now they are commented out and all is well.
 
I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.

If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.
 
DutchDaemon said:
I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.
Click to expand...
Code: 
pf_flags	 (str) If pf_enable is set to ``YES'', these flags are passed
		 to the pfctl(8) program when loading the ruleset.
This indicates that all fags, mentioned in man page, for pfctl command can be passed to it.

But why I couldn't then find, a special alert and list of allowed flags for pf_flags in rc.conf??

That is a very strange!
Do you know where is that list? Link?

DutchDaemon said:
If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.
Click to expand...

That shall be last solution if pf_flags fail.
 
If you look in the actual start-up file for pf (/etc/rc.d/pf) you will see that only a select set of flags is actually valid on the command line:

pf_program -f "$pf_rules" $pf_flags
which usually translates to
/sbin/pfctl -f /etc/pf.conf -otherflags

The -t flag is totally out of place there, so it throws an error.

In other words: only flags that make sense when loading the ruleset together with the -f flag (like -d, probably) are honoured here.

I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.
 
Thanks for an explanation. ;)
I'll go for a cron's @reboot feature.

DutchDaemon said:
I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.
Click to expand...

Well this is a security related software that is integrated in FB.
So this flaw can not be tolerated, as it can for ports, etc.

My firewall was down because of this for 18 hours.

Now I have a fun, breaking my head, is my system compromised or not. :p
 
You must log in or register to reply here.
Back
Top