rc.conf and pf.conf examples
This commit is contained in:
Reed McIntosh
parent
5322785cc7
commit
456bcb8ec6
4 changed files with 156 additions and 0 deletions
6
FreeBSD/boot/loader.conf
Normal file
6
FreeBSD/boot/loader.conf
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
netgraph_load="YES"
|
||||
ng_ether_load="YES"
|
||||
ng_etf_load="YES"
|
||||
ng_vlan_load="YES"
|
||||
ng_eiface_load="YES"
|
||||
ng_one2many_load="YES"
|
||||
60
FreeBSD/etc/pf.conf
Normal file
60
FreeBSD/etc/pf.conf
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
wan = "ngeth0"
|
||||
lan = "xxx"
|
||||
|
||||
#options
|
||||
set skip on lo0
|
||||
set block-policy drop
|
||||
set fingerprints "/etc/pf.os"
|
||||
set ruleset-optimization basic
|
||||
set optimization normal
|
||||
set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 }
|
||||
|
||||
|
||||
#scrub
|
||||
scrub on $wan all random-id fragment reassemble
|
||||
scrub on $lan all random-id fragment reassemble
|
||||
|
||||
|
||||
#NAT
|
||||
nat on $wan inet from ($lan:network) to any -> ($wan)
|
||||
|
||||
|
||||
#Filter
|
||||
|
||||
#default deny
|
||||
block drop in inet all label "Default deny rule IPv4"
|
||||
block drop out inet all label "Default deny rule IPv4"
|
||||
block drop in inet6 all label "Default deny rule IPv6"
|
||||
block drop out inet6 all label "Default deny rule IPv6"
|
||||
|
||||
#allow dhcp/dhcpv6 client
|
||||
pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
|
||||
pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
|
||||
pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
|
||||
pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
|
||||
pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
|
||||
|
||||
#allow dhcp/dhcpv6 server
|
||||
pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server"
|
||||
pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
|
||||
pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
|
||||
pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
|
||||
pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
|
||||
pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
|
||||
pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server"
|
||||
pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
|
||||
|
||||
#icmpv6
|
||||
pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state
|
||||
pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
|
||||
pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
|
||||
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
|
||||
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
|
||||
|
||||
#allow self
|
||||
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
|
||||
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
|
||||
|
||||
#allow LAN
|
||||
pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule"
|
||||
pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule"
|
||||
3
FreeBSD/etc/rc.conf
Normal file
3
FreeBSD/etc/rc.conf
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
ifconfig_eth0=""
|
||||
ifconfig_ngeth0="DHCP"
|
||||
ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0"
|
||||
87
FreeBSD/etc/start_if.eth0
Normal file
87
FreeBSD/etc/start_if.eth0
Normal file
|
|
@ -0,0 +1,87 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
ONT_IF='eth0'
|
||||
RG_IF='eth1'
|
||||
RG_ETHER_ADDR='00:11:22:33:44'
|
||||
LOG=/var/log/freeatt.log
|
||||
|
||||
getTimestamp(){
|
||||
echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
|
||||
}
|
||||
|
||||
{
|
||||
echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
|
||||
echo "$(getTimestamp) Configuration: "
|
||||
echo "$(getTimestamp) ONT_IF: $ONT_IF"
|
||||
echo "$(getTimestamp) RG_IF: $RG_IF"
|
||||
echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
|
||||
|
||||
echo "$(getTimestamp) building netgraph nodes..."
|
||||
|
||||
echo -n "$(getTimestamp) creating ng_one2many... "
|
||||
/usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
|
||||
/usr/sbin/ngctl name $ONT_IF:lower o2m
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) creating vlan node and interface... "
|
||||
/usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
|
||||
/usr/sbin/ngctl name o2m:many0 vlan0
|
||||
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
|
||||
|
||||
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
|
||||
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... "
|
||||
/usr/sbin/ngctl mkpeer o2m: etf many1 downstream
|
||||
/usr/sbin/ngctl name o2m:many1 waneapfilter
|
||||
/usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... "
|
||||
/usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
|
||||
/usr/sbin/ngctl name $RG_IF:lower laneapfilter
|
||||
/usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... "
|
||||
/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) defining filters for EAP traffic... "
|
||||
/usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
|
||||
/usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) enabling one2many links... "
|
||||
/usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... "
|
||||
/usr/sbin/ngctl rmhook waneapfilter: nomatch
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) enabling $RG_IF interface... "
|
||||
/sbin/ifconfig $RG_IF up
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) enabling $ONT_IF interface... "
|
||||
/sbin/ifconfig $ONT_IF up
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
|
||||
/sbin/ifconfig $RG_IF promisc
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
|
||||
/sbin/ifconfig $ONT_IF promisc
|
||||
echo "OK!"
|
||||
|
||||
echo -n "$(getTimestamp) set mac address on ngeth0..."
|
||||
/sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
|
||||
echo "OK!"
|
||||
|
||||
echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
|
||||
echo "$(getTimestamp) done!"
|
||||
} >> $LOG
|
||||
Loading…
Reference in a new issue