version 1.446, 2014/12/03 20:13:49 |
version 1.447, 2015/01/22 19:00:24 |
|
|
if [ X"${pf}" != X"NO" ]; then |
if [ X"${pf}" != X"NO" ]; then |
RULES="block all" |
RULES="block all" |
RULES="$RULES\npass on lo0" |
RULES="$RULES\npass on lo0" |
RULES="$RULES\npass in proto tcp from any to any port 22 keep state" |
RULES="$RULES\npass in proto tcp from any to any port ssh keep state" |
RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state" |
RULES="$RULES\npass out proto { tcp, udp } from any to any port domain keep state" |
RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" |
RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" |
RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps" |
RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps" |
RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc" |
RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc" |
|
|
*[1-9]*) |
*[1-9]*) |
# don't kill NFS |
# don't kill NFS |
RULES="set reassemble yes no-df\n$RULES" |
RULES="set reassemble yes no-df\n$RULES" |
RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any" |
RULES="$RULES\npass in proto { tcp, udp } from any port { sunrpc, nfsd } to any" |
RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 } !received-on any" |
RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" |
;; |
;; |
esac |
esac |
echo $RULES | pfctl -f - |
echo $RULES | pfctl -f - |