diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2009-02-23 01:18:37 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2009-02-23 01:18:37 +0000 |
| commit | 4ff156e31a76438558845c6d8cf21450f857389c (patch) | |
| tree | 23d512872023adb3616671a83342373f2a7c837d /etc/pf.conf | |
| parent | 5d144654091f1b56f8792202cbab8e69d832130d (diff) | |
A newruleset that contains actual blocks people can use if they
uncomment them. this is no longer a sample. everything in here now
must be completely legit.
discussed at length with henning, claudio, and sthen
ok sthen
Diffstat (limited to 'etc/pf.conf')
| -rw-r--r-- | etc/pf.conf | 49 |
1 files changed, 24 insertions, 25 deletions
diff --git a/etc/pf.conf b/etc/pf.conf index 233ac9a3329..85ddbef7b4e 100644 --- a/etc/pf.conf +++ b/etc/pf.conf @@ -1,36 +1,35 @@ -# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $ +# $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ # -# See pf.conf(5) for syntax and examples. +# See pf.conf(5) for syntax and examples; this sample ruleset uses +# require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. -#ext_if="ext0" -#int_if="int0" - -#table <spamd-white> persist - -#set skip on lo - -#scrub in +set require-order no +set skip on lo +scrub in +# NAT/filter rules and anchors for ftp-proxy(8) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" -#rdr-anchor "relayd/*" -#nat on $ext_if from !($ext_if) -> ($ext_if:0) -#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 -#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp -#rdr pass on $ext_if proto tcp from any to any port smtp \ -# -> 127.0.0.1 port spamd - +#rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 #anchor "ftp-proxy/*" +#pass out proto tcp from $proxy to any port ftp + +# NAT/filter rules and anchors for relayd(8) +#rdr-anchor "relayd/*" #anchor "relayd/*" -#block in -#pass out -#pass quick on $int_if no state -#antispoof quick for { lo $int_if } +# NAT rules and anchors for spamd(8) +#table <spamd-white> persist +#table <nospamd> persist file "/etc/mail/nospamd" +#no rdr on egress proto tcp from <nospamd> to any port smtp +#no rdr on egress proto tcp from <spamd-white> to any port smtp +#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd + +pass in # to establish keep-state + +#block in quick from urpf-failed to any # use with care -#pass in on $ext_if proto icmp to ($ext_if) -#pass in on $ext_if proto tcp to ($ext_if) port ssh -#pass in log on $ext_if proto tcp to ($ext_if) port smtp -#pass out log on $ext_if proto tcp from ($ext_if) to port smtp +# By default, do not permit remote connections to X11 +block in on ! lo0 proto tcp from any to any port 6000 |