Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.55 / (download) - annotate - [select for diffs], Sun Dec 3 20:40:04 2017 UTC (6 years, 5 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3,
HEAD
Changes since 1.54: +4 -1 lines
Diff to previous 1.54 (colored)
Disallow the _pbuild user from making TCP/UDP connections in the default PF ruleset. This is not a complete block on _pbuild being able to communicate (e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict in those cases) but avoids some cases, and in particular makes it more obvious when a port does things like download extra distfiles or dependencies as part of the build process. Slight tweak from a diff by espie@.
Revision 1.54 / (download) - annotate - [select for diffs], Sat Aug 23 05:49:42 2014 UTC (9 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.53: +2 -26 lines
Diff to previous 1.53 (colored)
Shrink this to the minimum, but reference /etc/examples/pf.conf (someone should really sit down and flesh out the examples)
Revision 1.53 / (download) - annotate - [select for diffs], Sat Jan 25 10:28:36 2014 UTC (10 years, 3 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.52: +3 -3 lines
Diff to previous 1.52 (colored)
Change the default PF policy to "block return", including x11 as suggested by naddy@. This solves the problem that occurs when a server crashes or is hard booted and comes back up without tearing down any connections to it, and packets from these connections don't match any existing state or rule and are silenty dropped. ok phessler@ henning@ claudio@ dlg@
Revision 1.52 / (download) - annotate - [select for diffs], Wed Feb 13 23:11:14 2013 UTC (11 years, 3 months ago) by halex
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.51: +3 -2 lines
Diff to previous 1.51 (colored)
Add a 'block' rule prior to the state creating 'pass' rule. This way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule. sthen@ benno@ phessler@ mikeb@ agrees
Revision 1.51 / (download) - annotate - [select for diffs], Sat Jan 26 17:12:21 2013 UTC (11 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.50: +4 -1 lines
Diff to previous 1.50 (colored)
Give an example of how to increase the state limit. The 10k limit is too small for production servers now that pf is on by default. OK phessler@
Revision 1.50 / (download) - annotate - [select for diffs], Thu Apr 28 00:19:42 2011 UTC (13 years ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
ftp-proxy(8) now requires a divert-to rule
Revision 1.49 / (download) - annotate - [select for diffs], Thu Sep 17 06:39:03 2009 UTC (14 years, 8 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.48: +4 -3 lines
Diff to previous 1.48 (colored)
sync the spamd example to that used in spamd(8); ok beck
Revision 1.48 / (download) - annotate - [select for diffs], Fri Sep 11 13:21:00 2009 UTC (14 years, 8 months ago) by sthen
Branch: MAIN
Changes since 1.47: +2 -3 lines
Diff to previous 1.47 (colored)
This sample ruleset does not use require-order to mix NAT/rdr and filter rules, because we no longer have translation rules. Pointed out by Mitja Muzenic, ok henning@
Revision 1.47 / (download) - annotate - [select for diffs], Mon Sep 7 09:48:38 2009 UTC (14 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.46: +5 -4 lines
Diff to previous 1.46 (colored)
example spamd rules should be "pass in";
Revision 1.46 / (download) - annotate - [select for diffs], Tue Sep 1 14:45:32 2009 UTC (14 years, 8 months ago) by todd
Branch: MAIN
Changes since 1.45: +9 -1 lines
Diff to previous 1.45 (colored)
add back sample spamd(8) rules, converted appropriately; ok henning@
Revision 1.45 / (download) - annotate - [select for diffs], Tue Sep 1 13:51:19 2009 UTC (14 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.44: +4 -15 lines
Diff to previous 1.44 (colored)
todd reminded me we need to adjust this too
Revision 1.44 / (download) - annotate - [select for diffs], Wed Jun 10 15:29:34 2009 UTC (14 years, 11 months ago) by sobrado
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
pf should block the port range allocated by net.inet.tcp.baddynamic for the X protocol instead of port 6000 only; this way pf provides the same protection level to all X servers. ok sthen@; "I am convinced that 6000-6010 is acceptable for blocking in pf" deraadt@, "i'd thought of something similar" oga@
Revision 1.43 / (download) - annotate - [select for diffs], Sat May 30 22:18:15 2009 UTC (14 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)
shorter, ok theo
Revision 1.42 / (download) - annotate - [select for diffs], Sat May 30 22:15:20 2009 UTC (14 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
we want pass, not pass in, so we get state for all connections
Revision 1.41 / (download) - annotate - [select for diffs], Sun Apr 26 12:32:48 2009 UTC (15 years ago) by sthen
Branch: MAIN
Changes since 1.40: +1 -2 lines
Diff to previous 1.40 (colored)
remove "set require-order no", it is now the default
Revision 1.40 / (download) - annotate - [select for diffs], Mon Apr 20 20:21:41 2009 UTC (15 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.39: +1 -2 lines
Diff to previous 1.39 (colored)
do NOT set defaults to their default here
Revision 1.39 / (download) - annotate - [select for diffs], Mon Apr 6 12:10:10 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
reassembly works different now
Revision 1.38 / (download) - annotate - [select for diffs], Mon Feb 23 01:18:36 2009 UTC (15 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.37: +24 -25 lines
Diff to previous 1.37 (colored)
A newruleset that contains actual blocks people can use if they uncomment them. this is no longer a sample. everything in here now must be completely legit. discussed at length with henning, claudio, and sthen ok sthen
Revision 1.37 / (download) - annotate - [select for diffs], Fri May 9 06:04:08 2008 UTC (16 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)
now we also need the anchor "relayd/*" in addition to the rdr-anchor. ok pyr@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Apr 2 05:05:25 2008 UTC (16 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
no more /usr/share/pf; pointed out by Rod Whitworth
Revision 1.35 / (download) - annotate - [select for diffs], Fri Feb 29 17:04:55 2008 UTC (16 years, 2 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.34: +3 -1 lines
Diff to previous 1.34 (colored)
add configuration examples to the default pf.conf file (commented out): - rdr-anchor "relayd/*": the anchor used by relayd to load redirections into pf. - pass in on $ext_if proto icmp to ($ext_if): it is a bad habit to block icmp, this example proposes to allow it by default. ok henning@
Revision 1.34 / (download) - annotate - [select for diffs], Sat Feb 24 19:30:59 2007 UTC (17 years, 2 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.33: +3 -5 lines
Diff to previous 1.33 (colored)
Make greylisting the default when spamd is enabled. Uses the new -g flag for spamd-setup. OK beck@
Revision 1.33 / (download) - annotate - [select for diffs], Tue Oct 24 16:33:21 2006 UTC (17 years, 6 months ago) by david
Branch: MAIN
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
kill extra spaces
Revision 1.32 / (download) - annotate - [select for diffs], Sat Oct 7 01:50:22 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.31: +6 -6 lines
Diff to previous 1.31 (colored)
'keep state' is now default, and use 'no state' where intended.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Jan 30 12:20:31 2006 UTC (18 years, 3 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0,
OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.30: +4 -2 lines
Diff to previous 1.30 (colored)
update for new ftp-proxy ok henning@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Jan 26 12:44:59 2006 UTC (18 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.29: +3 -2 lines
Diff to previous 1.29 (colored)
set skip is no good idea on int_if in this sample rulseset that also has a rdo on $int_if that stops working then. pt out by cedric
Revision 1.29 / (download) - annotate - [select for diffs], Tue Aug 23 02:52:58 2005 UTC (18 years, 8 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.28: +3 -2 lines
Diff to previous 1.28 (colored)
replace the "pass quick" example line for loopback and the inner interface with a set skip statement to the same effect, performs way better suggested by Stuart Henderson <stu@spacehopper.org>, theo ok
Revision 1.28 / (download) - annotate - [select for diffs], Thu Apr 29 21:03:09 2004 UTC (20 years ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7,
OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.27: +3 -1 lines
Diff to previous 1.27 (colored)
reminder to set net.inet.ip.forwarding/net.inet6.ip6.forwarding in sysctl.conf ok cedric@ mcbride@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Mar 2 20:13:55 2004 UTC (20 years, 2 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.26: +22 -72 lines
Diff to previous 1.26 (colored)
Simplify pf.conf, provide sample rules for greylisting. ok beck@, input from many.
Revision 1.26 / (download) - annotate - [select for diffs], Thu Feb 26 22:11:11 2004 UTC (20 years, 2 months ago) by david
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
add src.track timeout and src-nodes limit ok mcbride@
Revision 1.25 / (download) - annotate - [select for diffs], Thu Jan 29 18:54:29 2004 UTC (20 years, 3 months ago) by todd
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
sync pf.conf example with spamd(8); ok deraadt@
Revision 1.24 / (download) - annotate - [select for diffs], Fri Dec 5 21:23:27 2003 UTC (20 years, 5 months ago) by david
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
put back lo1 requested by deraadt@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Dec 5 20:55:02 2003 UTC (20 years, 5 months ago) by david
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
lo1 no longer exists by default so don't try to use it in examples ok henning@
Revision 1.22 / (download) - annotate - [select for diffs], Tue Nov 18 21:26:51 2003 UTC (20 years, 6 months ago) by david
Branch: MAIN
Changes since 1.21: +2 -1 lines
Diff to previous 1.21 (colored)
add a commented out 'set debug' default ok henning@
Revision 1.21 / (download) - annotate - [select for diffs], Tue Sep 2 20:38:44 2003 UTC (20 years, 8 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.20: +2 -1 lines
Diff to previous 1.20 (colored)
add set fingerprints example ok deraadt@ henning@ frantzen@
Revision 1.20 / (download) - annotate - [select for diffs], Tue Jun 17 21:48:10 2003 UTC (20 years, 11 months ago) by david
Branch: MAIN
Changes since 1.19: +3 -2 lines
Diff to previous 1.19 (colored)
add adaptive, interval, and frag timeouts to pf.conf and BNF ok henning@ dhartmei@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Mar 24 01:47:28 2003 UTC (21 years, 2 months ago) by ian
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.18: +8 -1 lines
Diff to previous 1.18 (colored)
Add comments, mostly borrowed from ftp-proxy(8), showing how to set up up. Improved & OK'd by dhartmei@, david@, millert@.
Revision 1.18 / (download) - annotate - [select for diffs], Tue Mar 11 10:11:59 2003 UTC (21 years, 2 months ago) by david
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
remove extra # ok henning@
Revision 1.17 / (download) - annotate - [select for diffs], Fri Feb 28 00:34:13 2003 UTC (21 years, 2 months ago) by david
Branch: MAIN
Changes since 1.16: +27 -9 lines
Diff to previous 1.16 (colored)
much-needed update to include examples for all seven types of statements queueing and table examples are from the fosdem2k3 presentation spamd rdr simplification from henning@ ok dhartmei@ henning@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Feb 14 00:34:14 2003 UTC (21 years, 3 months ago) by jason
Branch: MAIN
Changes since 1.15: +4 -3 lines
Diff to previous 1.15 (colored)
spamd now uses tables (these load MUCH faster on my ss2); ok deraadt
Revision 1.15 / (download) - annotate - [select for diffs], Mon Dec 30 23:17:54 2002 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
#set limit states unlimited -> 10000, as unlimited is not valid syntax.
Revision 1.14 / (download) - annotate - [select for diffs], Mon Dec 23 17:34:45 2002 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
default optimization is "normal", not "default"
Revision 1.13 / (download) - annotate - [select for diffs], Mon Dec 23 17:32:27 2002 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
missing }
Revision 1.12 / (download) - annotate - [select for diffs], Mon Dec 23 11:47:52 2002 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.11: +29 -17 lines
Diff to previous 1.11 (colored)
-list options with default values -correct order -various spelling/grammar/consistency from David Krause with feedback from dhartmei@
Revision 1.11 / (download) - annotate - [select for diffs], Sat Dec 21 03:02:40 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +5 -3 lines
Diff to previous 1.10 (colored)
sample spamd stuff
Revision 1.10 / (download) - annotate - [select for diffs], Thu Dec 19 00:06:29 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.9: +12 -13 lines
Diff to previous 1.9 (colored)
indent so it is more clear, add spews thing
Revision 1.9 / (download) - annotate - [select for diffs], Fri Dec 13 10:20:25 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (colored)
kill whitespace at EOL; David Krause
Revision 1.8 / (download) - annotate - [select for diffs], Sun Nov 24 19:56:45 2002 UTC (21 years, 5 months ago) by pb
Branch: MAIN
Changes since 1.7: +4 -4 lines
Diff to previous 1.7 (colored)
make the example parseable (quotes around macros) from sam smith, thx henning@ ok
Revision 1.7 / (download) - annotate - [select for diffs], Sat Nov 16 12:55:22 2002 UTC (21 years, 6 months ago) by ian
Branch: MAIN
Changes since 1.6: +14 -12 lines
Diff to previous 1.6 (colored)
Use macros in sample file, ok dhartmei@
Revision 1.6 / (download) - annotate - [select for diffs], Thu Jun 27 07:00:43 2002 UTC (21 years, 10 months ago) by fgsch
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.5: +3 -3 lines
Diff to previous 1.5 (colored)
spell.
Revision 1.5 / (download) - annotate - [select for diffs], Sat Jun 22 10:19:13 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.4: +6 -3 lines
Diff to previous 1.4 (colored)
add a commented out scrub example ok frantzen@
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 17 08:07:58 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.3: +27 -2 lines
Diff to previous 1.3 (colored)
merge nat.conf here as well add more simple filter rule examples "commit it" deraadt@
Revision 1.3 / (download) - annotate - [select for diffs], Fri Nov 16 22:53:24 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
The implicit pass rules come first, not last. Spotted by alec@dtkco.com.
Revision 1.2 / (download) - annotate - [select for diffs], Tue Jun 26 22:58:31 2001 UTC (22 years, 10 months ago) by smart
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
Point to pf.conf(5) and nat.conf(5) for help
Revision 1.1 / (download) - annotate - [select for diffs], Tue Jun 26 16:52:39 2001 UTC (22 years, 10 months ago) by kjell
Branch: MAIN
change default pf configuration files to pf.conf and nat.conf. ok theo
![[BACK]](/icons/back.gif){kind=icon}