From 2aaf6a8706d7d7530777412191744b61799568d5 Mon Sep 17 00:00:00 2001
From: henning <>
Date: Sat, 19 Apr 2014 16:07:09 +0000
Subject: [PATCH] use "!received-on any" to absolutely ensure that we're not
 forwarding carp, rpc or nfs traffic in the initial ruleset active during
 network startup for a short time (or a much longer time if /etc/pf.conf is
 screwed up). ok phessler

---
 src/etc/rc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/etc/rc b/src/etc/rc
index eb7d7c74..599e99d1 100644
--- a/src/etc/rc
+++ b/src/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.423 2014/03/15 22:13:36 sthen Exp $
+#	$OpenBSD: rc,v 1.424 2014/04/19 16:07:09 henning Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -336,13 +336,14 @@ if [ X"${pf}" != X"NO" ]; then
 		RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
 		RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
 	fi
-	RULES="$RULES\npass proto carp keep state (no-sync)"
+	RULES="$RULES\npass in proto carp keep state (no-sync)"
+	RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
 	case `sysctl vfs.mounts.nfs 2>/dev/null` in
 	*[1-9]*)
 		# don't kill NFS
 		RULES="set reassemble yes no-df\n$RULES"
 		RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
-		RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
+		RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 } !received-on any"
 		;;
 	esac
 	echo $RULES | pfctl -f -