IceFloor / PF Issues

[boonebytes]

Hi guys,

Some background:

I have a Mac Mini (late 2012 model) set up as a server w/ Mac OS X Server (Mountain Lion v10.8.4), wired to a Time Capsule with routing disabled, which is wired to a RVS4000 router. I have it configured in such a way that the Mac Mini is a NAT for traffic from en0 to vlan0 (linked via en0, routed by the RVS4000).

I'm using the Mac Mini to host services as the IPTV service provided by my ISP doesn't work if their router doesn't supply the IPs. Their router supplies IPs on the 192.168.77.0 subnet, and my Mac Mini supplies IPs on the 192.168.84.0 subnet.

The Mac Mini is hosting DHCP via the MacPorts dhcpd server. It's also hosting other services, such as DNS, LDAP, etc.

The guts of my post:

When I was first setting up the NAT, I was using the IPFW method of routing requests. Shortly after (as in, perhaps less than a day), I stumbled on IceFloor, downloaded it, installed it, and configured it to match what I needed... recognizing that it uses PF, which is supposed to replace IPFW at some point (from what I understand).

It works great... as long as I never shut down the Mac Mini. I have it plugged into an UPS, so it can shut down safely and such. It's configured to turn on automatically when power has been supplied, but NAT doesn't work without some user-intervention on my part.

I have been putting up with it for a while (probably months now), but I'm still bothered that my configuration is not "self-sufficient" at the moment.

I'm running into an issue where launchd launches /etc/icefloor.sh at boot (tested via syslog output in the script), but PF is disabled when the system has finished booting...

# pfctl -s info
No ALTQ support in kernel
ALTQ related functions disabled
Status: Disabled                              Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
...

When this happens, the Mac Mini can get online, but it won't route requests for the other clients (Macs, iPhones, iPads, Windows PC, etc.).

If I launch the IceFloor GUI, I generally see "PF Firewall: Disabled; IceFloor Ruleset: Disabled; Boot Scripts Installed; IceFloor Mode: Advanced" in the status bar. At this exact moment, the PF Firewall is disabled and the IceFloor Ruleset is enabled, but that might just be some recent tests I've been running (ie. I removed the extended attribute for Apple's quarantine from icefloor.sh and icefloor_ef.sh).

Best I can tell, there's something else loading after IceFloor that's disabling PF. Question is: What is it, or how can I find out what it is?

Of course, there's a chance that something else is the problem... My day-job is programming, not infrastructure (although I think I have a good handle on it). I work in a Windows shop, so I don't get as much exposure to Mac or Linux as I like.

FYI: This is for my home config... but I don't like having the internet down while there's someone else home.

Does anyone have any advice? Or perhaps a "better" way for me to find a solution?

Thanks in advance,

Jeff

 

[dfaber]

Icefloor doesn't start

Jeff:

I have had the same problem. Try this:

Setup Icefloor as usual. Go to "Tools" and open a text editor. Open /etc/icefloor.sh

Find the line about "sleep 5" and uncomment. Reboot. See if problem solved. Seemed to work for me. I'm using mountain lion on mac mini that is being used as a home gateway.

Good luck.

 

[boonebytes]

Hi dfaber,

Thanks for the help!

I made the modification (via "sudo vi /etc/icefloor.sh") and restarted. However, it doesn't seem to do the trick... I'm still getting "Disabled" for the PF Firewall and IceFloor Ruleset.

Here's the contents of the file, via bash-3.2# cat /etc/icefloor.sh | grep -v ^#

trap 'exit 1' 15

ipconfig waitall

sysctl -w net.inet6.ip6.fw.verbose=0
sysctl -w net.inet.ip.fw.verbose=0
sysctl -w net.inet.ip.fw.verbose_limit=0

sysctl -w net.inet.ip.forwarding=1
		
/sbin/pfctl -ef /etc/pf.conf

ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p local2.info

sleep 5

exit 0

Can you think of anything else I should look at?

Thanks again,

Jeff

EDIT: FYI: Yes, I sudo bash'd, which isn't generally a "best practice"... I just find it a lot easier to do when you have so many commands to run as root

 

[dfaber]

IceFloor / PF Issues

Yeah, it turns out that just sleeping at the end of the icefloor.sh script doesn't really do anything.

I move the "sleep 5" line to just after the 'ipconfig waitall' line (I presume that the important thing here is to make sure it sleeps before the '/sbin/pfctl -ef /etc/pf.conf' line).

I also had to change the file /System/LaunchDaemons/com.apple.pfctl.plist by adding the '-e' flag to program arguments like this:

<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-ef</string>
<string>/etc/pf.conf</string>
</array>

I presume that what is happening is that icefloor is launching pfctl, and then the system is also launching it and turning pf off. By enabling system pfctl with -e flag, and then forcing the icefloor script to wait 5 before calling pfctl again, the system action then gets overwritten by icefloor, rather than the other way around.

Making either change alone did not fix the problem. Making both changes has now allowed the ruleset to survive multiple system reboots.

I hate modifying any /System files, but can't find a better way right now. I presume that this patch will have to be done again when updating to new system software.

Also, Icefloor repeatedly replaces the icefloor.sh script when loading rules, so the script has to have the 'sleep 5' line replaced with every rules update (maybe not with the 'test' button). Changing the copy in the Icefloor.app bundle does not seem to affect this behavior. I cannot figure out how to change the defaults so I don't have to keep changing the /etc/icefloor.sh file whenevery I hit the update rules button.

----------

It may also be enough to set Disabled flag to true on the /System/Library/LaunchDaemons/com.apple.pfctl.plist file

 

[KirinZero]

Who disabled my PF firewall??

Well, I have the very same problem.

After booting up, icefloor shows that both PF firewall and PF rulesets are disabled.

But when I execute sudo /etc/icefloor.sh in terminal, PF firewall and PF rulesets turn to be enabled in icefloor.

When I turn on the firewall in System Preferences, icefloor shows PF firewall is enabled but PF rulesets disabled after booting up.

There must be connections between Firewall from System Preferences and PF firewall from icefloor.

Judging from log files, /etc/icefloor.sh is executed correctly by launched.
So my judgement is that there must be something turning my pf firewall off.
But I can't find it.

I am quite confused.

Any idea will be deeply appreciated !!

 

[cpuin]

I have the same problem.
After some reboots boot script doesn't work!
I wrote to Haney the creator of IceFloor i donated also but still have no answer.