#
1.55 |
|
03-Dec-2017 |
sthen |
Disallow the _pbuild user from making TCP/UDP connections in the default PF ruleset. This is not a complete block on _pbuild being able to communicate (e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict in those cases) but avoids some cases, and in particular makes it more obvious when a port does things like download extra distfiles or dependencies as part of the build process. Slight tweak from a diff by espie@.
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.54 |
|
23-Aug-2014 |
deraadt |
Shrink this to the minimum, but reference /etc/examples/pf.conf (someone should really sit down and flesh out the examples)
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.53 |
|
25-Jan-2014 |
dtucker |
Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
13-Feb-2013 |
halex |
Add a 'block' rule prior to the state creating 'pass' rule. This way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule.
sthen@ benno@ phessler@ mikeb@ agrees
|
#
1.51 |
|
26-Jan-2013 |
claudio |
Give an example of how to increase the state limit. The 10k limit is too small for production servers now that pf is on by default. OK phessler@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.50 |
|
28-Apr-2011 |
mikeb |
ftp-proxy(8) now requires a divert-to rule
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE
|
#
1.49 |
|
17-Sep-2009 |
jmc |
sync the spamd example to that used in spamd(8); ok beck
|
#
1.48 |
|
11-Sep-2009 |
sthen |
This sample ruleset does not use require-order to mix NAT/rdr and filter rules, because we no longer have translation rules. Pointed out by Mitja Muzenic, ok henning@
|
#
1.47 |
|
07-Sep-2009 |
jmc |
example spamd rules should be "pass in";
|
#
1.46 |
|
01-Sep-2009 |
todd |
add back sample spamd(8) rules, converted appropriately; ok henning@
|
#
1.45 |
|
01-Sep-2009 |
henning |
todd reminded me we need to adjust this too
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.44 |
|
10-Jun-2009 |
sobrado |
pf should block the port range allocated by net.inet.tcp.baddynamic for the X protocol instead of port 6000 only; this way pf provides the same protection level to all X servers.
ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking in pf" deraadt@, "i'd thought of something similar" oga@
|
#
1.43 |
|
30-May-2009 |
henning |
shorter, ok theo
|
#
1.42 |
|
30-May-2009 |
henning |
we want pass, not pass in, so we get state for all connections
|
#
1.41 |
|
26-Apr-2009 |
sthen |
remove "set require-order no", it is now the default
|
#
1.40 |
|
20-Apr-2009 |
deraadt |
do NOT set defaults to their default here
|
#
1.39 |
|
06-Apr-2009 |
henning |
reassembly works different now
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.38 |
|
23-Feb-2009 |
deraadt |
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.37 |
|
09-May-2008 |
reyk |
now we also need the anchor "relayd/*" in addition to the rdr-anchor.
ok pyr@
|
#
1.36 |
|
02-Apr-2008 |
jmc |
no more /usr/share/pf; pointed out by Rod Whitworth
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.35 |
|
29-Feb-2008 |
reyk |
add configuration examples to the default pf.conf file (commented out):
- rdr-anchor "relayd/*": the anchor used by relayd to load redirections into pf.
- pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to block icmp, this example proposes to allow it by default.
ok henning@
|
Revision tags: OPENBSD_4_1_BASE OPENBSD_4_2_BASE
|
#
1.34 |
|
24-Feb-2007 |
millert |
Make greylisting the default when spamd is enabled. Uses the new -g flag for spamd-setup. OK beck@
|
#
1.33 |
|
24-Oct-2006 |
david |
kill extra spaces
|
#
1.32 |
|
07-Oct-2006 |
mcbride |
'keep state' is now default, and use 'no state' where intended.
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.31 |
|
30-Jan-2006 |
camield |
update for new ftp-proxy
ok henning@
|
#
1.30 |
|
26-Jan-2006 |
henning |
set skip is no good idea on int_if in this sample rulseset that also has a rdo on $int_if that stops working then. pt out by cedric
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.29 |
|
23-Aug-2005 |
henning |
replace the "pass quick" example line for loopback and the inner interface with a set skip statement to the same effect, performs way better suggested by Stuart Henderson <stu@spacehopper.org>, theo ok
|
Revision tags: OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.28 |
|
29-Apr-2004 |
frantzen |
reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf ok cedric@ mcbride@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.27 |
|
02-Mar-2004 |
cedric |
Simplify pf.conf, provide sample rules for greylisting. ok beck@, input from many.
|
#
1.26 |
|
26-Feb-2004 |
david |
add src.track timeout and src-nodes limit ok mcbride@
|
#
1.25 |
|
29-Jan-2004 |
todd |
sync pf.conf example with spamd(8); ok deraadt@
|
#
1.24 |
|
05-Dec-2003 |
david |
put back lo1 requested by deraadt@
|
#
1.23 |
|
05-Dec-2003 |
david |
lo1 no longer exists by default so don't try to use it in examples ok henning@
|
#
1.22 |
|
18-Nov-2003 |
david |
add a commented out 'set debug' default ok henning@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.21 |
|
02-Sep-2003 |
david |
add set fingerprints example ok deraadt@ henning@ frantzen@
|
#
1.20 |
|
17-Jun-2003 |
david |
add adaptive, interval, and frag timeouts to pf.conf and BNF ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.19 |
|
24-Mar-2003 |
ian |
Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up. Improved & OK'd by dhartmei@, david@, millert@.
|
#
1.18 |
|
11-Mar-2003 |
david |
remove extra # ok henning@
|
#
1.17 |
|
28-Feb-2003 |
david |
much-needed update to include examples for all seven types of statements queueing and table examples are from the fosdem2k3 presentation spamd rdr simplification from henning@ ok dhartmei@ henning@
|
#
1.16 |
|
14-Feb-2003 |
jason |
spamd now uses tables (these load MUCH faster on my ss2); ok deraadt
|
#
1.15 |
|
30-Dec-2002 |
dhartmei |
#set limit states unlimited -> 10000, as unlimited is not valid syntax.
|
#
1.14 |
|
23-Dec-2002 |
henning |
default optimization is "normal", not "default"
|
#
1.13 |
|
23-Dec-2002 |
henning |
missing }
|
#
1.12 |
|
23-Dec-2002 |
henning |
-list options with default values -correct order -various spelling/grammar/consistency
from David Krause with feedback from dhartmei@
|
#
1.11 |
|
21-Dec-2002 |
deraadt |
sample spamd stuff
|
#
1.10 |
|
19-Dec-2002 |
deraadt |
indent so it is more clear, add spews thing
|
#
1.9 |
|
13-Dec-2002 |
henning |
kill whitespace at EOL; David Krause
|
#
1.8 |
|
24-Nov-2002 |
pb |
make the example parseable (quotes around macros) from sam smith, thx
henning@ ok
|
#
1.7 |
|
16-Nov-2002 |
ian |
Use macros in sample file, ok dhartmei@
|
Revision tags: OPENBSD_3_2_BASE
|
#
1.6 |
|
27-Jun-2002 |
fgsch |
spell.
|
#
1.5 |
|
22-Jun-2002 |
henning |
add a commented out scrub example ok frantzen@
|
#
1.4 |
|
17-Jun-2002 |
henning |
merge nat.conf here as well add more simple filter rule examples "commit it" deraadt@
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.3 |
|
16-Nov-2001 |
dhartmei |
The implicit pass rules come first, not last. Spotted by alec@dtkco.com.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.2 |
|
26-Jun-2001 |
smart |
Point to pf.conf(5) and nat.conf(5) for help
|
#
1.1 |
|
26-Jun-2001 |
kjell |
change default pf configuration files to pf.conf and nat.conf. ok theo
|