Hello there,
I tried searching the forum for similar discussions, but they didn't lead me to a solution.
At home I have a FreeBSD server that acts as a router for the local network:
At boot time the PF service is correctly enabled, but the PF rules are not loaded automatically: and I am forced to load them manually:
After I manually load the rules:
I cannot find any information in the system logs as to why the rules are not properly loaded during the boot process.
Below is my /etc/rc.conf:
I have tried configuring /etc/rc.local to work around the problem by reloading the rules, either with the `service` command or with `pfctl`:
but the command on boot fails:
I don't think there are any problems with the configuration of the rules preventing reloading during the boot process, in any case, below is the rules file (on which any suggestions are welcome):
Thanks in advance for the support
I tried searching the forum for similar discussions, but they didn't lead me to a solution.
At home I have a FreeBSD server that acts as a router for the local network:
Code:
[root@firewall ~]# uname -sr
FreeBSD 13.2-RELEASE-p2
[root@firewall ~]#
At boot time the PF service is correctly enabled, but the PF rules are not loaded automatically: and I am forced to load them manually:
Code:
[root@firewall ~]# pfctl -sr
[root@firewall ~]#
After I manually load the rules:
Code:
[root@firewall ~]# pfctl -sr
scrub in all fragment reassemble
anchor "miniupnpd" all
block drop in quick on em0 from <badhosts> to any
block drop all
pass in inet from 172.16.0.0/16 to any flags S/SA keep state (if-bound)
pass out on em0 all flags S/SA keep state (if-bound)
pass inet proto icmp from 172.16.0.0/16 to any keep state (if-bound)
pass quick inet proto icmp all icmp-type echoreq keep state (if-bound)
pass quick proto tcp from any to any port = ssh flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = auth flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = 25522 flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = 51413 flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = 55522 flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = 65522 flags S/SA keep state (if-bound)
pass quick proto tcp from any to any port = domain flags S/SA keep state (if-bound)
pass quick proto udp from any to any port = domain keep state (if-bound)
pass quick proto udp from any to any port = 51413 keep state (if-bound)
pass quick proto udp from any to any port = bootps keep state (if-bound)
pass quick proto udp from any to any port = ssdp keep state (if-bound)
[root@firewall ~]#
I cannot find any information in the system logs as to why the rules are not properly loaded during the boot process.
Below is my /etc/rc.conf:
Code:
[root@firewall ~]# cat /etc/rc.conf
clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="firewall.xxx.tld"
ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_em1="inet 172.16.1.1 netmask 255.255.0.0"
defaultrouter="192.168.1.254"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
netwait_enable="YES"
netwait_ip="1.1.1.1"
netwait_timeout="60"
netwait_if="em0"
netwait_if_timeout="60"
gateway_enable="YES"
coretemp_load="YES"
dnsmasq_enable="YES"
oidentd_enable="YES"
ddclient_enable="YES"
syslog_ng_enable="YES"
syslogd_enable="NO"
miniupnpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
[root@firewall ~]#
I have tried configuring /etc/rc.local to work around the problem by reloading the rules, either with the `service` command or with `pfctl`:
Code:
[root@firewall ~]# cat /etc/rc.local
date > /tmp/rc-local-debug
echo "Trying to restart PF rules" >> /tmp/rc-local-debug
/sbin/pfctl -f /etc/pf.conf
if [ $? -eq 0 ];
then
echo "Command run successfully" >> /tmp/rc-local-debug
else
echo "Command not run" >> /tmp/rc-local-debug
fi
[root@firewall ~]#
but the command on boot fails:
Code:
[root@firewall ~]# cat /tmp/rc-local-debug
Mon Aug 21 10:30:41 CEST 2023
Trying to restart PF rules
Command not ran
I don't think there are any problems with the configuration of the rules preventing reloading during the boot process, in any case, below is the rules file (on which any suggestions are welcome):
Code:
[root@firewall ~]# cat /etc/pf.conf
# Firewall rules
### Variables
### external interface
ext_if = "em0"
### internal interface
int_if = "em1"
int_net = "172.16.1.0/16"
### static hosts
galileo = "172.16.1.10"
magellan = "172.16.1.14"
ps4 = "172.16.1.11"
accesspoint = "172.16.1.2"
### Tables for large IPs
table <badhosts> persist file "/etc/pf.badhosts"
set debug urgent
set block-policy drop
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
scrub in all
# NAT rule for outgoing connections (static-port is useful for game consoles like PS4/Xbox)
nat on $ext_if inet from $ps4 to any -> $ext_if static-port
nat on $ext_if inet from $int_net to any -> $ext_if
# redirect from outside port to internal server
# example:
# rdr on $ext_if proto tcp from any to any port 80 -> 172.16.1.10 port 80
# Redirect rule for galileo (RPi2)
rdr pass on $ext_if proto tcp from any to $ext_if port 51413 -> $galileo port 51413
rdr pass on $ext_if proto udp from any to $ext_if port 51413 -> $galileo port 51413
rdr pass on $ext_if proto tcp from any to $ext_if port 65522 -> $galileo port 65522
# Redirect rule for magellan (RPi4)
rdr pass on $ext_if proto tcp from any to $ext_if port 55522 -> $magellan port 22
# enable UPnP (requires miniupnpd, game consoles needs this)
rdr-anchor "miniupnpd"
anchor "miniupnpd"
### $ExtIf block abusive hosts in temp and perm tables
block drop in quick on $ext_if from <badhosts> to any
block all
pass in from $int_net
pass out on $ext_if all
pass inet proto icmp from $int_net # allow some ICMP for troubleshooting
pass quick inet proto icmp all icmp-type echoreq # always allow ping
pass quick proto tcp from any to any port 22 # always allow ssh
pass quick proto tcp from any to any port 113 # always allow identd
pass quick proto tcp from any to any port 25522 # always allow ssh
pass quick proto tcp from any to any port 51413 # always allow transmission-daemon
pass quick proto tcp from any to any port 55522 # always allow ssh
pass quick proto tcp from any to any port 65522 # always allow ssh
pass quick proto tcp from any to any port 53 # always allow dns
pass quick proto udp from any to any port 53 # always allow dns
pass quick proto udp from any to any port 51413 # always allow transmission-daemon
pass quick proto udp from any to any port 67 # always allow dhcp
pass quick proto udp from any to any port 1900 # always allow miniupnpd
[root@firewall ~]#
Thanks in advance for the support