| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2017-12-03 | Disallow the _pbuild user from making TCP/UDP connections in the default | Stuart Henderson | |
| PF ruleset. This is not a complete block on _pbuild being able to communicate (e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict in those cases) but avoids some cases, and in particular makes it more obvious when a port does things like download extra distfiles or dependencies as part of the build process. Slight tweak from a diff by espie@. | |||
| 2014-08-23 | Shrink this to the minimum, but reference /etc/examples/pf.conf | Theo de Raadt | |
| (someone should really sit down and flesh out the examples) | |||
| 2014-01-25 | Change the default PF policy to "block return", including x11 as | Darren Tucker | |
| suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@ | |||
| 2013-02-13 | Add a 'block' rule prior to the state creating 'pass' rule. This | Alexander Hall | |
| way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule. sthen@ benno@ phessler@ mikeb@ agrees | |||
| 2013-01-26 | Give an example of how to increase the state limit. The 10k limit is too | Claudio Jeker | |
| small for production servers now that pf is on by default. OK phessler@ | |||
| 2011-04-28 | ftp-proxy(8) now requires a divert-to rule | Mike Belopuhov | |
| 2009-09-17 | sync the spamd example to that used in spamd(8); ok beck | Jason McIntyre | |
| 2009-09-11 | This sample ruleset does not use require-order to mix NAT/rdr | Stuart Henderson | |
| and filter rules, because we no longer have translation rules. Pointed out by Mitja Muzenic, ok henning@ | |||
| 2009-09-07 | example spamd rules should be "pass in"; | Jason McIntyre | |
| 2009-09-01 | add back sample spamd(8) rules, converted appropriately; ok henning@ | Todd T. Fries | |
| 2009-09-01 | todd reminded me we need to adjust this too | Henning Brauer | |
| 2009-06-10 | pf should block the port range allocated by net.inet.tcp.baddynamic | Igor Sobrado | |
| for the X protocol instead of port 6000 only; this way pf provides the same protection level to all X servers. ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking in pf" deraadt@, "i'd thought of something similar" oga@ | |||
| 2009-05-30 | shorter, ok theo | Henning Brauer | |
| 2009-05-30 | we want pass, not pass in, so we get state for all connections | Henning Brauer | |
| 2009-04-26 | remove "set require-order no", it is now the default | Stuart Henderson | |
| 2009-04-20 | do NOT set defaults to their default here | Theo de Raadt | |
| 2009-04-06 | reassembly works different now | Henning Brauer | |
| 2009-02-23 | A newruleset that contains actual blocks people can use if they | Theo de Raadt | |
| uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen | |||
| 2008-05-09 | now we also need the anchor "relayd/*" in addition to the rdr-anchor. | Reyk Floeter | |
| ok pyr@ | |||
| 2008-04-02 | no more /usr/share/pf; pointed out by Rod Whitworth | Jason McIntyre | |
| 2008-02-29 | add configuration examples to the default pf.conf file (commented out): | Reyk Floeter | |
| - rdr-anchor "relayd/*": the anchor used by relayd to load redirections into pf. - pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to block icmp, this example proposes to allow it by default. ok henning@ | |||
| 2007-02-24 | Make greylisting the default when spamd is enabled. Uses the new -g flag | Todd C. Miller | |
| for spamd-setup. OK beck@ | |||
| 2006-10-24 | kill extra spaces | David Krause | |
| 2006-10-07 | 'keep state' is now default, and use 'no state' where intended. | Ryan Thomas McBride | |
| 2006-01-30 | update for new ftp-proxy | Camiel Dobbelaar | |
| ok henning@ | |||
| 2006-01-26 | set skip is no good idea on int_if in this sample rulseset that also | Henning Brauer | |
| has a rdo on $int_if that stops working then. pt out by cedric | |||
| 2005-08-23 | replace the "pass quick" example line for loopback and the inner interface | Henning Brauer | |
| with a set skip statement to the same effect, performs way better suggested by Stuart Henderson <stu@spacehopper.org>, theo ok | |||
| 2004-04-29 | reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf | Mike Frantzen | |
| ok cedric@ mcbride@ | |||
| 2004-03-02 | Simplify pf.conf, provide sample rules for greylisting. | Cedric Berger | |
| ok beck@, input from many. | |||
| 2004-02-26 | add src.track timeout and src-nodes limit | David Krause | |
| ok mcbride@ | |||
| 2004-01-29 | sync pf.conf example with spamd(8); ok deraadt@ | Todd T. Fries | |
| 2003-12-05 | put back lo1 | David Krause | |
| requested by deraadt@ | |||
| 2003-12-05 | lo1 no longer exists by default so don't try to use it in examples | David Krause | |
| ok henning@ | |||
| 2003-11-18 | add a commented out 'set debug' default | David Krause | |
| ok henning@ | |||
| 2003-09-02 | add set fingerprints example | David Krause | |
| ok deraadt@ henning@ frantzen@ | |||
| 2003-06-17 | add adaptive, interval, and frag timeouts to pf.conf and BNF | David Krause | |
| ok henning@ dhartmei@ | |||
| 2003-03-24 | Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up. | Ian Darwin | |
| Improved & OK'd by dhartmei@, david@, millert@. | |||
| 2003-03-11 | remove extra # | David Krause | |
| ok henning@ | |||
| 2003-02-28 | much-needed update to include examples for all seven types of statements | David Krause | |
| queueing and table examples are from the fosdem2k3 presentation spamd rdr simplification from henning@ ok dhartmei@ henning@ | |||
| 2003-02-14 | spamd now uses tables (these load MUCH faster on my ss2); ok deraadt | Jason Wright | |
| 2002-12-30 | #set limit states unlimited -> 10000, as unlimited is not valid syntax. | Daniel Hartmeier | |
| 2002-12-23 | default optimization is "normal", not "default" | Henning Brauer | |
| 2002-12-23 | missing } | Henning Brauer | |
| 2002-12-23 | -list options with default values | Henning Brauer | |
| -correct order -various spelling/grammar/consistency from David Krause with feedback from dhartmei@ | |||
| 2002-12-21 | sample spamd stuff | Theo de Raadt | |
| 2002-12-19 | indent so it is more clear, add spews thing | Theo de Raadt | |
| 2002-12-13 | kill whitespace at EOL; David Krause | Henning Brauer | |
| 2002-11-24 | make the example parseable (quotes around macros) | Philipp Buehler | |
| from sam smith, thx henning@ ok | |||
| 2002-11-16 | Use macros in sample file, ok dhartmei@ | Ian Darwin | |
| 2002-06-27 | spell. | Federico G. Schwindt | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |