151d945da1
Disallow the _pbuild user from making TCP/UDP connections in the default
PF ruleset. This is not a complete block on _pbuild being able to communicate
(e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict
in those cases) but avoids some cases, and in particular makes it more obvious
when a port does things like download extra distfiles or dependencies
as part of the build process. Slight tweak from a diff by espie@.
6 years ago
eb0d2e879c
Shrink this to the minimum, but reference /etc/examples/pf.conf
(someone should really sit down and flesh out the examples)
9 years ago
65f45be470
Change the default PF policy to "block return", including x11 as
suggested by naddy@. This solves the problem that occurs when a
server crashes or is hard booted and comes back up without tearing
down any connections to it, and packets from these connections don't
match any existing state or rule and are silenty dropped.
ok phessler@ henning@ claudio@ dlg@
10 years ago
2c9096e015
Add a 'block' rule prior to the state creating 'pass' rule. This
way, TCP packets of e.g. timed out states are blocked rather than
passed by the implicit default pass rule.
sthen@ benno@ phessler@ mikeb@ agrees
11 years ago
d42b8f001d
Give an example of how to increase the state limit. The 10k limit is too
small for production servers now that pf is on by default.
OK phessler@
11 years ago
e62dcde8f1
ftp-proxy(8) now requires a divert-to rule
13 years ago
8926748cfe
sync the spamd example to that used in spamd(8); ok beck
14 years ago
be61e5ff1e
This sample ruleset does not use require-order to mix NAT/rdr
and filter rules, because we no longer have translation rules.
Pointed out by Mitja Muzenic, ok henning@
15 years ago
fe69db5037
example spamd rules should be "pass in";
15 years ago
3b9317d2be
add back sample spamd(8) rules, converted appropriately; ok henning@
15 years ago
53b0c693a8
todd reminded me we need to adjust this too
15 years ago
48f192013c
pf should block the port range allocated by net.inet.tcp.baddynamic
for the X protocol instead of port 6000 only; this way pf provides
the same protection level to all X servers.
ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking
in pf" deraadt@, "i'd thought of something similar" oga@
15 years ago
ac5fbf22da
shorter, ok theo
15 years ago
d7adfd4c39
we want pass, not pass in, so we get state for all connections
15 years ago
09645d2e86
remove "set require-order no", it is now the default
15 years ago
51536ef695
do NOT set defaults to their default here
15 years ago
f5ea88b947
reassembly works different now
15 years ago
0711e612f8
A newruleset that contains actual blocks people can use if they
uncomment them. this is no longer a sample. everything in here now
must be completely legit.
discussed at length with henning, claudio, and sthen
ok sthen
15 years ago
56ae4f8c5c
now we also need the anchor "relayd/*" in addition to the rdr-anchor.
ok pyr@
16 years ago
32376d92a9
no more /usr/share/pf; pointed out by Rod Whitworth
16 years ago
78458012a0
add configuration examples to the default pf.conf file (commented out):
- rdr-anchor "relayd/*": the anchor used by relayd to load
redirections into pf.
- pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to
block icmp, this example proposes to allow it by default.
ok henning@
16 years ago
46a97d1ae5
Make greylisting the default when spamd is enabled. Uses the new -g flag
for spamd-setup. OK beck@
17 years ago
babbfc38a2
kill extra spaces
17 years ago
760e51f118
'keep state' is now default, and use 'no state' where intended.
17 years ago
3cf5340b3f
update for new ftp-proxy
ok henning@
18 years ago
04bf0512a4
set skip is no good idea on int_if in this sample rulseset that also
has a rdo on $int_if that stops working then. pt out by cedric
18 years ago
ef67ad380f
replace the "pass quick" example line for loopback and the inner interface
with a set skip statement to the same effect, performs way better
suggested by Stuart Henderson <stu@spacehopper.org>, theo ok
19 years ago
5547b93a93
reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf
ok cedric@ mcbride@
20 years ago
14c0336a4c
Simplify pf.conf, provide sample rules for greylisting.
ok beck@, input from many.
20 years ago
fda326318f
add src.track timeout and src-nodes limit
ok mcbride@
20 years ago
eebf3f2766
sync pf.conf example with spamd(8); ok deraadt@
20 years ago
742ce61867
put back lo1
requested by deraadt@
20 years ago
855b474699
lo1 no longer exists by default so don't try to use it in examples
ok henning@
20 years ago
5025a25326
add a commented out 'set debug' default
ok henning@
20 years ago
ed70c0f4b6
add set fingerprints example
ok deraadt@ henning@ frantzen@
21 years ago
8d7c4c7618
add adaptive, interval, and frag timeouts to pf.conf and BNF
ok henning@ dhartmei@
21 years ago
3b31fc2963
Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up.
Improved & OK'd by dhartmei@, david@, millert@.
21 years ago
3b49da05c9
remove extra #
ok henning@
21 years ago
71938e28eb
much-needed update to include examples for all seven types of statements
queueing and table examples are from the fosdem2k3 presentation
spamd rdr simplification from henning@
ok dhartmei@ henning@
21 years ago
c4d2b0fea7
spamd now uses tables (these load MUCH faster on my ss2); ok deraadt
21 years ago
e704f94eb4
#set limit states unlimited -> 10000, as unlimited is not valid syntax.
21 years ago
4fccd6e031
default optimization is "normal", not "default"
21 years ago
e4642529fb
missing }
21 years ago
f4d17cceb7
-list options with default values
-correct order
-various spelling/grammar/consistency
from David Krause with feedback from dhartmei@
21 years ago
ad4f9c1261
sample spamd stuff
21 years ago
705f4b5a8c
indent so it is more clear, add spews thing
21 years ago
36e2191245
kill whitespace at EOL; David Krause
21 years ago
2db7b27853
make the example parseable (quotes around macros)
from sam smith, thx
henning@ ok
21 years ago
855d71f721
Use macros in sample file, ok dhartmei@
21 years ago
fd9be05b82
spell.
22 years ago
sthen