From 50226e205590ff2a9d82a071156f546991569c13 Mon Sep 17 00:00:00 2001 From: Alex Kotov Date: Wed, 30 Oct 2024 10:17:36 +0400 Subject: [PATCH] OpenBSD: pf --- files.sh | 1 + openbsd/etc/pf.conf | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 openbsd/etc/pf.conf diff --git a/files.sh b/files.sh index fd957c4..098725c 100644 --- a/files.sh +++ b/files.sh @@ -54,6 +54,7 @@ fi if [ "$PREFIX" = 'openbsd' ]; then echo install_file openbsd root wheel 644 '/etc/man.conf' +install_file openbsd root wheel 644 '/etc/pf.conf' install_dir root wheel 755 '/etc/profile.d' install_file openbsd root wheel 644 '/etc/profile.d/autotools.sh' install_file openbsd root wheel 644 '/etc/shells' diff --git a/openbsd/etc/pf.conf b/openbsd/etc/pf.conf new file mode 100644 index 0000000..fbe575c --- /dev/null +++ b/openbsd/etc/pf.conf @@ -0,0 +1,43 @@ +# $OpenBSD: pf.conf,v 1.4 2018/07/10 19:28:35 henning Exp $ +# +# See pf.conf(5) for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. + +# increase default state limit from 100'000 states on busy systems +#set limit states 500000 + +set skip on lo + +# filter rules and anchor for ftp-proxy(8) +#anchor "ftp-proxy/*" +#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 + +# anchor for relayd(8) +#anchor "relayd/*" + +block return # block stateless traffic +pass # establish keep-state + +# rules for spamd(8) +#table persist +#table persist file "/etc/mail/nospamd" +#pass in on egress inet proto tcp from any to any port smtp \ +# divert-to 127.0.0.1 port spamd +#pass in on egress proto tcp from to any port smtp +#pass in log on egress proto tcp from to any port smtp +#pass out log on egress proto tcp to any port smtp + + +#block in quick from urpf-failed to any # use with care + +# rules for vmd(8) - NAT and DNS forwarding for VMs (100.64.0.0/10 default) +pass out on egress from 100.64.0.0/10 to any nat-to (egress) +pass in proto udp from 100.64.0.0/10 to any port domain \ + rdr-to 1.1.1.1 port domain + +# By default, do not permit remote connections to X11 +block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild