Disallow the _pbuild user from making TCP/UDP connections in the default
PF ruleset. This is not a complete block on _pbuild being able to communicate
(e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict
in those cases) but avoids some cases, and in particular makes it more obvious
when a port does things like download extra distfiles or dependencies
as part of the build process. Slight tweak from a diff by espie@.

Shrink this to the minimum, but reference /etc/examples/pf.conf
(someone should really sit down and flesh out the examples)

Change the default PF policy to "block return", including x11 as
suggested by naddy@. This solves the problem that occurs when a
server crashes or is hard booted and comes back up without tearing
down any connections to it, and packets from these connections don't
match any existing state or rule and are silenty dropped.
ok phessler@ henning@ claudio@ dlg@

Add a 'block' rule prior to the state creating 'pass' rule. This
way, TCP packets of e.g. timed out states are blocked rather than
passed by the implicit default pass rule.

sthen@ benno@ phessler@ mikeb@ agrees

Give an example of how to increase the state limit. The 10k limit is too
small for production servers now that pf is on by default.
OK phessler@

ftp-proxy(8) now requires a divert-to rule

sync the spamd example to that used in spamd(8); ok beck

This sample ruleset does not use require-order to mix NAT/rdr
and filter rules, because we no longer have translation rules.
Pointed out by Mitja Muzenic, ok henning@

example spamd rules should be "pass in";

add back sample spamd(8) rules, converted appropriately; ok henning@

todd reminded me we need to adjust this too

pf should block the port range allocated by net.inet.tcp.baddynamic
for the X protocol instead of port 6000 only; this way pf provides
the same protection level to all X servers.

ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking
in pf" deraadt@, "i'd thought of something similar" oga@

shorter, ok theo

we want pass, not pass in, so we get state for all connections

remove "set require-order no", it is now the default

do NOT set defaults to their default here

reassembly works different now

A newruleset that contains actual blocks people can use if they
uncomment them. this is no longer a sample. everything in here now
must be completely legit.
discussed at length with henning, claudio, and sthen
ok sthen

now we also need the anchor "relayd/*" in addition to the rdr-anchor.

ok pyr@

no more /usr/share/pf; pointed out by Rod Whitworth

add configuration examples to the default pf.conf file (commented out):

- rdr-anchor "relayd/*": the anchor used by relayd to load
redirections into pf.

- pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to
block icmp, this example proposes to allow it by default.

ok henning@

Make greylisting the default when spamd is enabled. Uses the new -g flag
for spamd-setup. OK beck@

kill extra spaces

'keep state' is now default, and use 'no state' where intended.

update for new ftp-proxy

ok henning@

set skip is no good idea on int_if in this sample rulseset that also
has a rdo on $int_if that stops working then. pt out by cedric

replace the "pass quick" example line for loopback and the inner interface
with a set skip statement to the same effect, performs way better
suggested by Stuart Henderson <stu@spacehopper.org>, theo ok

reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf
ok cedric@ mcbride@

Simplify pf.conf, provide sample rules for greylisting.
ok beck@, input from many.

add src.track timeout and src-nodes limit
ok mcbride@

sync pf.conf example with spamd(8); ok deraadt@

put back lo1
requested by deraadt@

lo1 no longer exists by default so don't try to use it in examples
ok henning@

add a commented out 'set debug' default
ok henning@

add set fingerprints example
ok deraadt@ henning@ frantzen@

add adaptive, interval, and frag timeouts to pf.conf and BNF
ok henning@ dhartmei@

Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up.
Improved & OK'd by dhartmei@, david@, millert@.

remove extra #
ok henning@

much-needed update to include examples for all seven types of statements
queueing and table examples are from the fosdem2k3 presentation
spamd rdr simplification from henning@
ok dhartmei@ henning@

spamd now uses tables (these load MUCH faster on my ss2); ok deraadt

#set limit states unlimited -> 10000, as unlimited is not valid syntax.

default optimization is "normal", not "default"

missing }

-list options with default values
-correct order
-various spelling/grammar/consistency

from David Krause with feedback from dhartmei@

sample spamd stuff

indent so it is more clear, add spews thing

kill whitespace at EOL; David Krause

make the example parseable (quotes around macros)
from sam smith, thx

henning@ ok

Use macros in sample file, ok dhartmei@

spell.

add a commented out scrub example
ok frantzen@

merge nat.conf here as well
add more simple filter rule examples
"commit it" deraadt@

The implicit pass rules come first, not last. Spotted by alec@dtkco.com.

Point to pf.conf(5) and nat.conf(5) for help

change default pf configuration files to pf.conf and nat.conf. ok theo