Browse Source

use "!received-on any" to absolutely ensure that we're not forwarding

carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler
OPENBSD_5_6
henning 10 years ago
parent
commit
2aaf6a8706
1 changed files with 4 additions and 3 deletions
  1. +4
    -3
      src/etc/rc

+ 4
- 3
src/etc/rc View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.423 2014/03/15 22:13:36 sthen Exp $
# $OpenBSD: rc,v 1.424 2014/04/19 16:07:09 henning Exp $
# System startup script run by init on autoboot # System startup script run by init on autoboot
# or after single-user. # or after single-user.
@ -336,13 +336,14 @@ if [ X"${pf}" != X"NO" ]; then
RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server" RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
fi fi
RULES="$RULES\npass proto carp keep state (no-sync)"
RULES="$RULES\npass in proto carp keep state (no-sync)"
RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
case `sysctl vfs.mounts.nfs 2>/dev/null` in case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*) *[1-9]*)
# don't kill NFS # don't kill NFS
RULES="set reassemble yes no-df\n$RULES" RULES="set reassemble yes no-df\n$RULES"
RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any" RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 } !received-on any"
;; ;;
esac esac
echo $RULES | pfctl -f - echo $RULES | pfctl -f -


Loading…
Cancel
Save