new-install

Notes on OS intalls
git clone https://git.bracken.jp/new-install.git
Log | Files | Refs | LICENSE

commit e7262d2eea3e41eb401166acdbc8be6c2e323211
parent c2f377beca81726251feeb15eb5e873327e891ec
Author: Chris Bracken <chris@bracken.jp>
Date:   Sat, 10 Jul 2021 11:59:39 -0700

FreeBSD: Add blacklistd_flags

Unclear whether starting with -r is required, but every example I see
where blacklistd is used with pf includes it. The manpage isn't as clear
as it could be with regards to what's actually happening under the hood
here.

Diffstat:
Mfreebsd_install.md | 11++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/freebsd_install.md b/freebsd_install.md @@ -523,8 +523,8 @@ To run a check on our config file without yet applying it: Next, we'll start `pf`, but since many a system administrator has found themselves locked out of their own server by applying a bad config, it's useful to queue up a command to disable the firewall after two minutes. -In another terminal, log into the remote machine, get a root shell using -`sudo -s`, then run the following: +In another terminal, log into the remote machine, get a *root* shell +using `sudo -s`, then run the following: # Sleep 2 minutes, then disable pf. sleep 120; pfctl -d @@ -573,9 +573,14 @@ First, we'll add a pf anchor for blacklistd blocks in `/etc/pf.conf`: anchor "blacklistd/*" in on $ext_if -Next we'll enable it on boot. Add the following line to `/etc/rc.conf`: +Next we'll enable it on boot. We start the daemon with the `-r` flag, which +tells it to re-read the firewall rules from the internal database and remove +then re-add them; this is useful for packet filters that don't retain state +across restarts, though it's unclear to me whether this is the case for `pf`. +Add following lines to `/etc/rc.conf`: blacklistd_enable="YES" + blacklistd_flags="-r" Nest, start the blacklistd service: