openntpd-openbsd

Commit Graph

Author	SHA1	Message	Date
dtucker	65f45be470	Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@	10 years ago
halex	2c9096e015	Add a 'block' rule prior to the state creating 'pass' rule. This way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule. sthen@ benno@ phessler@ mikeb@ agrees	11 years ago
claudio	d42b8f001d	Give an example of how to increase the state limit. The 10k limit is too small for production servers now that pf is on by default. OK phessler@	11 years ago
mikeb	e62dcde8f1	ftp-proxy(8) now requires a divert-to rule	13 years ago
jmc	8926748cfe	sync the spamd example to that used in spamd(8); ok beck	15 years ago
sthen	be61e5ff1e	This sample ruleset does not use require-order to mix NAT/rdr and filter rules, because we no longer have translation rules. Pointed out by Mitja Muzenic, ok henning@	15 years ago
jmc	fe69db5037	example spamd rules should be "pass in";	15 years ago
todd	3b9317d2be	add back sample spamd(8) rules, converted appropriately; ok henning@	15 years ago
henning	53b0c693a8	todd reminded me we need to adjust this too	15 years ago
sobrado	48f192013c	pf should block the port range allocated by net.inet.tcp.baddynamic for the X protocol instead of port 6000 only; this way pf provides the same protection level to all X servers. ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking in pf" deraadt@, "i'd thought of something similar" oga@	15 years ago
henning	ac5fbf22da	shorter, ok theo	15 years ago
henning	d7adfd4c39	we want pass, not pass in, so we get state for all connections	15 years ago
sthen	09645d2e86	remove "set require-order no", it is now the default	15 years ago
deraadt	51536ef695	do NOT set defaults to their default here	15 years ago
henning	f5ea88b947	reassembly works different now	15 years ago
deraadt	0711e612f8	A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen	15 years ago
reyk	56ae4f8c5c	now we also need the anchor "relayd/*" in addition to the rdr-anchor. ok pyr@	16 years ago
jmc	32376d92a9	no more /usr/share/pf; pointed out by Rod Whitworth	16 years ago
reyk	78458012a0	add configuration examples to the default pf.conf file (commented out): - rdr-anchor "relayd/*": the anchor used by relayd to load redirections into pf. - pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to block icmp, this example proposes to allow it by default. ok henning@	16 years ago
millert	46a97d1ae5	Make greylisting the default when spamd is enabled. Uses the new -g flag for spamd-setup. OK beck@	17 years ago
david	babbfc38a2	kill extra spaces	18 years ago
mcbride	760e51f118	'keep state' is now default, and use 'no state' where intended.	18 years ago
camield	3cf5340b3f	update for new ftp-proxy ok henning@	19 years ago
henning	04bf0512a4	set skip is no good idea on int_if in this sample rulseset that also has a rdo on $int_if that stops working then. pt out by cedric	19 years ago
henning	ef67ad380f	replace the "pass quick" example line for loopback and the inner interface with a set skip statement to the same effect, performs way better suggested by Stuart Henderson <stu@spacehopper.org>, theo ok	19 years ago
frantzen	5547b93a93	reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf ok cedric@ mcbride@	20 years ago
cedric	14c0336a4c	Simplify pf.conf, provide sample rules for greylisting. ok beck@, input from many.	20 years ago
david	fda326318f	add src.track timeout and src-nodes limit ok mcbride@	20 years ago
todd	eebf3f2766	sync pf.conf example with spamd(8); ok deraadt@	21 years ago
david	742ce61867	put back lo1 requested by deraadt@	21 years ago
david	855b474699	lo1 no longer exists by default so don't try to use it in examples ok henning@	21 years ago
david	5025a25326	add a commented out 'set debug' default ok henning@	21 years ago
david	ed70c0f4b6	add set fingerprints example ok deraadt@ henning@ frantzen@	21 years ago
david	8d7c4c7618	add adaptive, interval, and frag timeouts to pf.conf and BNF ok henning@ dhartmei@	21 years ago
ian	3b31fc2963	Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up. Improved & OK'd by dhartmei@, david@, millert@.	21 years ago
david	3b49da05c9	remove extra # ok henning@	21 years ago
david	71938e28eb	much-needed update to include examples for all seven types of statements queueing and table examples are from the fosdem2k3 presentation spamd rdr simplification from henning@ ok dhartmei@ henning@	22 years ago
jason	c4d2b0fea7	spamd now uses tables (these load MUCH faster on my ss2); ok deraadt	22 years ago
dhartmei	e704f94eb4	#set limit states unlimited -> 10000, as unlimited is not valid syntax.	22 years ago
henning	4fccd6e031	default optimization is "normal", not "default"	22 years ago
henning	e4642529fb	missing }	22 years ago
henning	f4d17cceb7	-list options with default values -correct order -various spelling/grammar/consistency from David Krause with feedback from dhartmei@	22 years ago
deraadt	ad4f9c1261	sample spamd stuff	22 years ago
deraadt	705f4b5a8c	indent so it is more clear, add spews thing	22 years ago
henning	36e2191245	kill whitespace at EOL; David Krause	22 years ago
pb	2db7b27853	make the example parseable (quotes around macros) from sam smith, thx henning@ ok	22 years ago
ian	855d71f721	Use macros in sample file, ok dhartmei@	22 years ago
fgsch	fd9be05b82	spell.	22 years ago
henning	b06f8fd325	add a commented out scrub example ok frantzen@	22 years ago
henning	7878b8988c	merge nat.conf here as well add more simple filter rule examples "commit it" deraadt@	22 years ago

1 2

53 Commits (a0c81f7a45dddcb1fd52ca57348c536a4398d4a9)