Disallow the _pbuild user from making TCP/UDP connections in the default

PF ruleset. This is not a complete block on _pbuild being able to communicate
(e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict
in those cases) but avoids some cases, and in particular makes it more obvious
when a port does things like download extra distfiles or dependencies
as part of the build process. Slight tweak from a diff by espie@.

1 files changed, 4 insertions, 1 deletions

diff --git a/etc/pf.conf b/etc/pf.conf
index 011336cbd4d..ecf2183c210 100644
--- a/etc/pf.conf
+++ b/etc/pf.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
 #
 # See pf.conf(5) and /etc/examples/pf.conf
 
@@ -9,3 +9,6 @@ pass		# establish keep-state
 
 # By default, do not permit remote connections to X11
 block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild