diff options
| author | Robert Peichaer <rpe@cvs.openbsd.org> | 2017-07-17 18:52:27 +0000 |
|---|---|---|
| committer | Robert Peichaer <rpe@cvs.openbsd.org> | 2017-07-17 18:52:27 +0000 |
| commit | a0f9e9249c7c99004d8492d8e72d72ed279c149a (patch) | |
| tree | a9ffdf579b30a238beb08d81c13164463a9396ea /etc/rc | |
| parent | 910d2da96bec8a211474aa42496f4fe88ddf4275 (diff) | |
Tweak previous.
Diffstat (limited to 'etc/rc')
| -rw-r--r-- | etc/rc | 9 |
1 files changed, 5 insertions, 4 deletions
@@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.510 2017/07/17 18:37:42 rpe Exp $ +# $OpenBSD: rc,v 1.511 2017/07/17 18:52:26 rpe Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the @@ -399,14 +399,14 @@ wsconsctl_conf # Set initial temporary pf rule set. if [[ $pf != NO ]]; then - RULES=' + RULES=" block all pass on lo0 pass in proto tcp from any to any port ssh keep state pass out proto { tcp, udp } from any to any port domain keep state pass out inet proto icmp all icmp-type echoreq keep state pass out inet proto udp from any port bootpc to any port bootps - pass in inet proto udp from any port bootps to any port bootpc' + pass in inet proto udp from any port bootps to any port bootpc" if ifconfig lo0 inet6 >/dev/null 2>&1; then RULES="$RULES @@ -422,13 +422,14 @@ if [[ $pf != NO ]]; then pass in proto carp keep state (no-sync) pass out proto carp !received-on any keep state (no-sync)" - # Don't kill NFS. if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then + # Don't kill NFS. RULES="set reassemble yes no-df $RULES pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" fi + print -- "$RULES" | pfctl -f - pfctl -e fi |