Fincer
/
openntpd-openbsd
mirror of https://github.com/Fincer/openntpd-openbsd
1
0
Fork 0
Code Issues 0 Projects 0 Releases 61 Wiki Activity
Source code pulled from OpenBSD for OpenNTPD. The place to contribute to this code is via the OpenBSD CVS tree.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6454 Commits
49 Branches
2.1 GiB
Tree: a0c81f7a45
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a0c81f7a45'
${ noResults }
openntpd-openbsd/src/etc/pf.conf

35 lines
1.1 KiB
Raw Normal View History

Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@
10 years ago
pf rule sets; ok deraadt@
23 years ago
This sample ruleset does not use require-order to mix NAT/rdr and filter rules, because we no longer have translation rules. Pointed out by Mitja Muzenic, ok henning@
15 years ago
reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf ok cedric@ mcbride@
20 years ago
remove extra # ok henning@
21 years ago
Give an example of how to increase the state limit. The 10k limit is too small for production servers now that pf is on by default. OK phessler@
11 years ago
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
15 years ago
merge nat.conf here as well add more simple filter rule examples "commit it" deraadt@
22 years ago
todd reminded me we need to adjust this too
15 years ago
update for new ftp-proxy ok henning@
19 years ago
ftp-proxy(8) now requires a divert-to rule
13 years ago
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
15 years ago
todd reminded me we need to adjust this too
15 years ago
now we also need the anchor "relayd/*" in addition to the rdr-anchor. ok pyr@
16 years ago
much-needed update to include examples for all seven types of statements queueing and table examples are from the fosdem2k3 presentation spamd rdr simplification from henning@ ok dhartmei@ henning@
22 years ago
Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@
10 years ago
Add a 'block' rule prior to the state creating 'pass' rule. This way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule. sthen@ benno@ phessler@ mikeb@ agrees
11 years ago
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
15 years ago
add back sample spamd(8) rules, converted appropriately; ok henning@
15 years ago
example spamd rules should be "pass in";
15 years ago
sync the spamd example to that used in spamd(8); ok beck
15 years ago
example spamd rules should be "pass in";
15 years ago
sync the spamd example to that used in spamd(8); ok beck
15 years ago
add back sample spamd(8) rules, converted appropriately; ok henning@
15 years ago
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
15 years ago
Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up. Improved & OK'd by dhartmei@, david@, millert@.
21 years ago
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
15 years ago
Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@
10 years ago
 
  1. #	$OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
  2. #
  3. # See pf.conf(5) for syntax and examples.
  4. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
  5. # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
  6. 

  7. # increase default state limit from 10'000 states on busy systems
  8. #set limit states 100000
  9. 

  10. set skip on lo
  11. 

  12. # filter rules and anchor for ftp-proxy(8)
  13. #anchor "ftp-proxy/*"
  14. #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
  15. 

  16. # anchor for relayd(8)
  17. #anchor "relayd/*"
  18. 

  19. block return	# block stateless traffic
  20. pass		# establish keep-state
  21. 

  22. # rules for spamd(8)
  23. #table <spamd-white> persist
  24. #table <nospamd> persist file "/etc/mail/nospamd"
  25. #pass in on egress proto tcp from any to any port smtp \
  26. #    rdr-to 127.0.0.1 port spamd
  27. #pass in on egress proto tcp from <nospamd> to any port smtp
  28. #pass in log on egress proto tcp from <spamd-white> to any port smtp
  29. #pass out log on egress proto tcp to any port smtp
  30. 

  31. 

  32. #block in quick from urpf-failed to any	# use with care
  33. 

  34. # By default, do not permit remote connections to X11
  35. block return in on ! lo0 proto tcp to port 6000:6010