diff --git a/src/etc/pf.conf b/src/etc/pf.conf index 233ac9a3..85ddbef7 100644 --- a/src/etc/pf.conf +++ b/src/etc/pf.conf @@ -1,36 +1,35 @@ -# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $ +# $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ # -# See pf.conf(5) for syntax and examples. +# See pf.conf(5) for syntax and examples; this sample ruleset uses +# require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. -#ext_if="ext0" -#int_if="int0" - -#table persist - -#set skip on lo - -#scrub in +set require-order no +set skip on lo +scrub in +# NAT/filter rules and anchors for ftp-proxy(8) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" -#rdr-anchor "relayd/*" -#nat on $ext_if from !($ext_if) -> ($ext_if:0) -#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 -#no rdr on $ext_if proto tcp from to any port smtp -#rdr pass on $ext_if proto tcp from any to any port smtp \ -# -> 127.0.0.1 port spamd - +#rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 #anchor "ftp-proxy/*" +#pass out proto tcp from $proxy to any port ftp + +# NAT/filter rules and anchors for relayd(8) +#rdr-anchor "relayd/*" #anchor "relayd/*" -#block in -#pass out -#pass quick on $int_if no state -#antispoof quick for { lo $int_if } +# NAT rules and anchors for spamd(8) +#table persist +#table persist file "/etc/mail/nospamd" +#no rdr on egress proto tcp from to any port smtp +#no rdr on egress proto tcp from to any port smtp +#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd + +pass in # to establish keep-state + +#block in quick from urpf-failed to any # use with care -#pass in on $ext_if proto icmp to ($ext_if) -#pass in on $ext_if proto tcp to ($ext_if) port ssh -#pass in log on $ext_if proto tcp to ($ext_if) port smtp -#pass out log on $ext_if proto tcp from ($ext_if) to port smtp +# By default, do not permit remote connections to X11 +block in on ! lo0 proto tcp from any to any port 6000