Freebsd 13

FreeBSD/backup.sh

@@ -0,0 +1,14 @@
+#!/bin/csh
+#Script to grab all relevant configuration files and installed packages, and back it up to github
+/usr/sbin/pkg prime-origins > /root/fw/pkg_prime-origins
+
+foreach i ( "/boot/loader.conf" "/etc/pf.conf" "/etc/rc.conf" "/etc/start_if.eth0" "/usr/local/etc/dhcpd.conf" "/usr/local/etc/namedb/named.conf" "/usr/local/etc/namedb/dynamic/example.com.db" "/var/cron/tabs/root" "/usr/local/etc/dhcp6c.conf" "/etc/rtadvd.conf" "/usr/local/etc/dhcpd6.conf" "/etc/dhclient.conf" )
+	echo "Backing up "$i
+	/bin/cp $i /root/fw$i
+end
+
+echo "git push"
+cd /root/fw/
+/usr/local/bin/git add .
+/usr/local/bin/git commit -S -m "nightly backup"
+/usr/local/bin/git push -u origin main

FreeBSD/boot/loader.conf

@@ -0,0 +1,6 @@
+netgraph_load="YES"
+ng_ether_load="YES"
+ng_etf_load="YES"
+ng_vlan_load="YES"
+ng_eiface_load="YES"
+ng_one2many_load="YES"

FreeBSD/etc/dhclient.conf

@@ -0,0 +1,10 @@
+# $FreeBSD$
+#
+#	This file is required by the ISC DHCP client.
+#	See ``man 5 dhclient.conf'' for details.
+#
+#	In most cases an empty file is sufficient for most people as the
+#	defaults are usually fine.
+#
+#
+supersede domain-name-servers 127.0.0.1;

FreeBSD/etc/pf.conf

@@ -0,0 +1,60 @@
+wan = "ngeth0"
+lan = "xxx"
+
+#options
+set skip on lo0
+set block-policy drop
+set fingerprints "/etc/pf.os"
+set ruleset-optimization basic
+set optimization normal
+set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 }
+
+
+#scrub
+scrub on $wan all random-id fragment reassemble
+scrub on $lan all random-id fragment reassemble
+
+
+#NAT
+nat on $wan inet from ($lan:network) to any -> ($wan)
+
+
+#Filter
+
+#default deny
+block drop in inet all label "Default deny rule IPv4"
+block drop out inet all label "Default deny rule IPv4"
+block drop in inet6 all label "Default deny rule IPv6"
+block drop out inet6 all label "Default deny rule IPv6"
+
+#allow dhcp/dhcpv6 client
+pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
+pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
+pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
+
+#allow dhcp/dhcpv6 server
+pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server"
+pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
+pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
+
+#icmpv6
+pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state
+pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+
+#allow self
+pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
+pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
+
+#allow LAN
+pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule"
+pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule"

FreeBSD/etc/rc.conf

@@ -0,0 +1,44 @@
+hostname="fw"
+ifconfig_eth0=""
+ifconfig_ngeth0="DHCP"
+ifconfig_ngeth0_ipv6="inet6 accept_rtadv up"
+ipv6_cpe_wanif="ngeth0"
+ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0"
+ifconfig_eth2_ipv6="inet6 -accept-rtadv up"
+gateway_enable="YES"
+ipv6_gateway_enable="YES"
+ipv6_activate_all_interfaces="YES"
+rtadvd_enable="YES"
+rtadvd_interfaces="eth2"
+dhcp6c_enable="YES"
+dhcp6c_interfaces="ngeth0"
+dhcpd_enable="YES"
+dhcpd_flags="-q"
+dhcpd_conf="/usr/local/etc/dhcpd.conf"
+dhcpd_ifaces="eth2"
+dhcpd_withumask="022"
+dhcpd_chuser_enable="YES"
+dhcpd_withuser="dhcpd"
+dhcpd_withgroup="dhcpd"
+dhcpd_chroot_enable="YES"
+dhcpd_devfs_enable="YES"
+dhcpd_rootdir="/var/db/dhcpd"
+dhcpd6_enable="YES"
+dhcpd6_flags="-q"
+dhcpd6_conf="/usr/local/etc/dhcpd6.conf"
+dhcpd6_ifaces="eth2"
+dhcpd6_withumask="022"
+dhcpd6_chuser_enable="YES"
+dhcpd6_withuser="dhcpd"
+dhcpd6_withgroup="dhcpd"
+dhcpd6_chroot_enable="YES"
+dhcpd6_devfs_enable="YES"
+dhcpd6_rootdir="/var/db/dhcpd"
+pf_enable="YES"
+pf_rules="/etc/pf.conf"
+pflog_enable="YES"
+pflog_logfile="/var/log/pflog"
+powerd_enable="YES"
+powerd_flags="-b hadp -n hadp -a hadp"
+ntpd_enable="YES"
+sshd_enable="YES"

FreeBSD/etc/rtadvd.conf

@@ -0,0 +1,2 @@
+default:\
+	:raflags="m"::prefixlen#64:\

FreeBSD/etc/start_if.eth0

@@ -0,0 +1,87 @@
+#!/bin/sh
+set -e
+
+ONT_IF='eth0'
+RG_IF='eth1'
+RG_ETHER_ADDR='00:11:22:33:44'
+LOG=/var/log/freeatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
+}
+
+{
+    echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
+
+    echo "$(getTimestamp) building netgraph nodes..."
+
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $RG_IF interface... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) set mac address on ngeth0..."
+    /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG

FreeBSD/pkg_prime-origins

@@ -0,0 +1,6 @@
+dns/bind916
+net/dhcp6
+devel/git
+security/gnupg
+net/isc-dhcp44-server
+ports-mgmt/pkg

FreeBSD/usr/local/etc/dhcp6c.conf

@@ -0,0 +1,12 @@
+interface ngeth0 {
+        send ia-pd 0;   # request prefix delegation
+        request domain-name-servers;
+        request domain-name;
+};
+id-assoc pd 0 {
+        prefix ::/60 infinity;
+        prefix-interface igb1 {
+                sla-id 1;
+                sla-len 4;
+        };
+};

FreeBSD/usr/local/etc/dhcpd.conf

@@ -0,0 +1,44 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+option arch code 93 = unsigned integer 16; # RFC4578
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+update-conflict-detection false;
+authoritative;
+subnet 192.168.1.0 netmask 255.255.255.0 {
+        pool {
+                range 192.168.1.100 192.168.1.199;
+        }
+
+        option routers 192.168.1.1;
+        option domain-name-servers 192.168.1.1;
+        ping-check true;
+
+}
+host s_lan_0 {
+        hardware ethernet 00:11:22:33:44:55;
+        fixed-address 192.168.1.50
+        option host-name "example-host1";
+}
+host s_lan_1 {
+        hardware ethernet 66:77:88:99:aa:bb;
+        fixed-address 192.168.1.51;
+        option host-name "example-host2";
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address)));
+
+zone example.com. {
+	primary 127.0.0.1;
+}

FreeBSD/usr/local/etc/dhcpd6.conf

@@ -0,0 +1,31 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+ping-check true;
+authoritative;
+subnet6 2600:1234:5678:90ab::/64 {
+        range6 2600:1234:5678:90ab::1000 2600:1234:5678:90ab::2000;
+        do-forward-updates false;
+        option dhcp6.name-servers 2600:1234:5678:90ab::1;
+
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16))));
+
+zone example.com. {
+        primary 127.0.0.1;
+}
+
+