From 49f512458d9b3176d5fcaa8621c87ef7f530c5c5 Mon Sep 17 00:00:00 2001 From: deraadt <> Date: Wed, 16 Jul 2014 12:46:16 +0000 Subject: [PATCH] create examples/pf.conf which is a clone of the existing file. Now the existing file can start losing... examples... --- src/etc/Makefile | 4 ++-- src/etc/examples/pf.conf | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 src/etc/examples/pf.conf diff --git a/src/etc/Makefile b/src/etc/Makefile index fa73b335..2c04132c 100644 --- a/src/etc/Makefile +++ b/src/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.378 2014/07/16 12:25:52 deraadt Exp $ +# $OpenBSD: Makefile,v 1.379 2014/07/16 12:46:16 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -45,7 +45,7 @@ EXAMPLES=chio.conf dhcpd.conf exports ftpchroot hosts.lpd ifstated.conf \ sensorsd.conf EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \ - ldapd.conf ldpd.conf ospf6d.conf ospfd.conf rc.local \ + ldapd.conf ldpd.conf ospf6d.conf ospfd.conf pf.conf rc.local \ rc.securelevel rc.shutdown relayd.conf ripd.conf \ sasyncd.conf snmpd.conf ypldap.conf diff --git a/src/etc/examples/pf.conf b/src/etc/examples/pf.conf new file mode 100644 index 00000000..6cb9c925 --- /dev/null +++ b/src/etc/examples/pf.conf @@ -0,0 +1,35 @@ +# $OpenBSD: pf.conf,v 1.1 2014/07/16 12:46:16 deraadt Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. + +# increase default state limit from 10'000 states on busy systems +#set limit states 100000 + +set skip on lo + +# filter rules and anchor for ftp-proxy(8) +#anchor "ftp-proxy/*" +#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 + +# anchor for relayd(8) +#anchor "relayd/*" + +block return # block stateless traffic +pass # establish keep-state + +# rules for spamd(8) +#table persist +#table persist file "/etc/mail/nospamd" +#pass in on egress proto tcp from any to any port smtp \ +# rdr-to 127.0.0.1 port spamd +#pass in on egress proto tcp from to any port smtp +#pass in log on egress proto tcp from to any port smtp +#pass out log on egress proto tcp to any port smtp + + +#block in quick from urpf-failed to any # use with care + +# By default, do not permit remote connections to X11 +block return in on ! lo0 proto tcp to port 6000:6010