diff --git a/FreeBSD/boot/loader.conf b/FreeBSD/boot/loader.conf new file mode 100644 index 0000000..9c5f7ef --- /dev/null +++ b/FreeBSD/boot/loader.conf @@ -0,0 +1,6 @@ +netgraph_load="YES" +ng_ether_load="YES" +ng_etf_load="YES" +ng_vlan_load="YES" +ng_eiface_load="YES" +ng_one2many_load="YES" diff --git a/FreeBSD/etc/pf.conf b/FreeBSD/etc/pf.conf new file mode 100644 index 0000000..06cf214 --- /dev/null +++ b/FreeBSD/etc/pf.conf @@ -0,0 +1,60 @@ +wan = "ngeth0" +lan = "xxx" + +#options +set skip on lo0 +set block-policy drop +set fingerprints "/etc/pf.os" +set ruleset-optimization basic +set optimization normal +set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 } + + +#scrub +scrub on $wan all random-id fragment reassemble +scrub on $lan all random-id fragment reassemble + + +#NAT +nat on $wan inet from ($lan:network) to any -> ($wan) + + +#Filter + +#default deny +block drop in inet all label "Default deny rule IPv4" +block drop out inet all label "Default deny rule IPv4" +block drop in inet6 all label "Default deny rule IPv6" +block drop out inet6 all label "Default deny rule IPv6" + +#allow dhcp/dhcpv6 client +pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" +pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" +pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" +pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" +pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" + +#allow dhcp/dhcpv6 server +pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server" +pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server" +pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" +pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" + +#icmpv6 +pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state +pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state + +#allow self +pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" +pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" + +#allow LAN +pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule" +pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule" diff --git a/FreeBSD/etc/rc.conf b/FreeBSD/etc/rc.conf new file mode 100644 index 0000000..aaeb732 --- /dev/null +++ b/FreeBSD/etc/rc.conf @@ -0,0 +1,3 @@ +ifconfig_eth0="" +ifconfig_ngeth0="DHCP" +ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0" diff --git a/FreeBSD/etc/start_if.eth0 b/FreeBSD/etc/start_if.eth0 new file mode 100644 index 0000000..42b2ed2 --- /dev/null +++ b/FreeBSD/etc/start_if.eth0 @@ -0,0 +1,87 @@ +#!/bin/sh +set -e + +ONT_IF='eth0' +RG_IF='eth1' +RG_ETHER_ADDR='00:11:22:33:44' +LOG=/var/log/freeatt.log + +getTimestamp(){ + echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"` +} + +{ + echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode" + echo "$(getTimestamp) Configuration: " + echo "$(getTimestamp) ONT_IF: $ONT_IF" + echo "$(getTimestamp) RG_IF: $RG_IF" + echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" + + echo "$(getTimestamp) building netgraph nodes..." + + echo -n "$(getTimestamp) creating ng_one2many... " + /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one + /usr/sbin/ngctl name $ONT_IF:lower o2m + echo "OK!" + + echo -n "$(getTimestamp) creating vlan node and interface... " + /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream + /usr/sbin/ngctl name o2m:many0 vlan0 + /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether + + /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' + /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " + /usr/sbin/ngctl mkpeer o2m: etf many1 downstream + /usr/sbin/ngctl name o2m:many1 waneapfilter + /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " + /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream + /usr/sbin/ngctl name $RG_IF:lower laneapfilter + /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " + /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout + echo "OK!" + + echo -n "$(getTimestamp) defining filters for EAP traffic... " + /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + echo "OK!" + + echo -n "$(getTimestamp) enabling one2many links... " + /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" + echo "OK!" + + echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " + /usr/sbin/ngctl rmhook waneapfilter: nomatch + echo "OK!" + + echo -n "$(getTimestamp) enabling $RG_IF interface... " + /sbin/ifconfig $RG_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling $ONT_IF interface... " + /sbin/ifconfig $ONT_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " + /sbin/ifconfig $RG_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " + /sbin/ifconfig $ONT_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) set mac address on ngeth0..." + /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR + echo "OK!" + + echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN" + echo "$(getTimestamp) done!" +} >> $LOG