From 65f45be4705652b2bd57b52dd58f1aa63838baa9 Mon Sep 17 00:00:00 2001
From: dtucker <>
Date: Sat, 25 Jan 2014 10:28:36 +0000
Subject: [PATCH] Change the default PF policy to "block return", including x11
 as suggested by naddy@.  This solves the problem that occurs when a server
 crashes or is hard booted and comes back up without tearing down any
 connections to it, and packets from these connections don't match any
 existing state or rule and are silenty dropped. ok phessler@ henning@
 claudio@ dlg@

---
 src/etc/pf.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/etc/pf.conf b/src/etc/pf.conf
index 963bd28e..db7d99f2 100644
--- a/src/etc/pf.conf
+++ b/src/etc/pf.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
+#	$OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
 #
 # See pf.conf(5) for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
@@ -16,7 +16,7 @@ set skip on lo
 # anchor for relayd(8)
 #anchor "relayd/*"
 
-block		# block stateless traffic
+block return	# block stateless traffic
 pass		# establish keep-state
 
 # rules for spamd(8)
@@ -32,4 +32,4 @@ pass		# establish keep-state
 #block in quick from urpf-failed to any	# use with care
 
 # By default, do not permit remote connections to X11
-block in on ! lo0 proto tcp to port 6000:6010
+block return in on ! lo0 proto tcp to port 6000:6010