|
|
@ -1,4 +1,4 @@ |
|
|
# $OpenBSD: rc,v 1.510 2017/07/17 18:37:42 rpe Exp $ |
|
|
|
|
|
|
|
|
# $OpenBSD: rc,v 1.511 2017/07/17 18:52:26 rpe Exp $ |
|
|
|
|
|
|
|
|
# System startup script run by init on autoboot or after single-user. |
|
|
# System startup script run by init on autoboot or after single-user. |
|
|
# Output and error are redirected to console by init, and the console is the |
|
|
# Output and error are redirected to console by init, and the console is the |
|
|
@ -399,14 +399,14 @@ wsconsctl_conf |
|
|
|
|
|
|
|
|
# Set initial temporary pf rule set. |
|
|
# Set initial temporary pf rule set. |
|
|
if [[ $pf != NO ]]; then |
|
|
if [[ $pf != NO ]]; then |
|
|
RULES=' |
|
|
|
|
|
|
|
|
RULES=" |
|
|
block all |
|
|
block all |
|
|
pass on lo0 |
|
|
pass on lo0 |
|
|
pass in proto tcp from any to any port ssh keep state |
|
|
pass in proto tcp from any to any port ssh keep state |
|
|
pass out proto { tcp, udp } from any to any port domain keep state |
|
|
pass out proto { tcp, udp } from any to any port domain keep state |
|
|
pass out inet proto icmp all icmp-type echoreq keep state |
|
|
pass out inet proto icmp all icmp-type echoreq keep state |
|
|
pass out inet proto udp from any port bootpc to any port bootps |
|
|
pass out inet proto udp from any port bootpc to any port bootps |
|
|
pass in inet proto udp from any port bootps to any port bootpc' |
|
|
|
|
|
|
|
|
pass in inet proto udp from any port bootps to any port bootpc" |
|
|
|
|
|
|
|
|
if ifconfig lo0 inet6 >/dev/null 2>&1; then |
|
|
if ifconfig lo0 inet6 >/dev/null 2>&1; then |
|
|
RULES="$RULES |
|
|
RULES="$RULES |
|
|
@ -422,13 +422,14 @@ if [[ $pf != NO ]]; then |
|
|
pass in proto carp keep state (no-sync) |
|
|
pass in proto carp keep state (no-sync) |
|
|
pass out proto carp !received-on any keep state (no-sync)" |
|
|
pass out proto carp !received-on any keep state (no-sync)" |
|
|
|
|
|
|
|
|
# Don't kill NFS. |
|
|
|
|
|
if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then |
|
|
if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then |
|
|
|
|
|
# Don't kill NFS. |
|
|
RULES="set reassemble yes no-df |
|
|
RULES="set reassemble yes no-df |
|
|
$RULES |
|
|
$RULES |
|
|
pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any |
|
|
pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any |
|
|
pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" |
|
|
pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
print -- "$RULES" | pfctl -f - |
|
|
print -- "$RULES" | pfctl -f - |
|
|
pfctl -e |
|
|
pfctl -e |
|
|
fi |
|
|
fi |
|
|
|
rpe
7 years ago