From 151d945da182469f20cd58556aed2ea3bc7f469c Mon Sep 17 00:00:00 2001
From: sthen <>
Date: Sun, 3 Dec 2017 20:40:04 +0000
Subject: [PATCH] Disallow the _pbuild user from making TCP/UDP connections in
 the default PF ruleset. This is not a complete block on _pbuild being able to
 communicate (e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF
 can't restrict in those cases) but avoids some cases, and in particular makes
 it more obvious when a port does things like download extra distfiles or
 dependencies as part of the build process. Slight tweak from a diff by
 espie@.

---
 src/etc/pf.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/etc/pf.conf b/src/etc/pf.conf
index 011336cb..ecf2183c 100644
--- a/src/etc/pf.conf
+++ b/src/etc/pf.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
 #
 # See pf.conf(5) and /etc/examples/pf.conf
 
@@ -9,3 +9,6 @@ pass		# establish keep-state
 
 # By default, do not permit remote connections to X11
 block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild