[BACK]Return to rc CVS log [TXT][DIR] Up to [local] / src / etc

Diff for /src/etc/rc between version 1.509 and 1.510

version 1.509, 2017/07/17 18:16:14 version 1.510, 2017/07/17 18:37:42
Line 399 
Line 399 
   
 # Set initial temporary pf rule set.  # Set initial temporary pf rule set.
 if [[ $pf != NO ]]; then  if [[ $pf != NO ]]; then
         RULES="block all"          RULES='
         RULES="$RULES\npass on lo0"          block all
         RULES="$RULES\npass in proto tcp from any to any port ssh keep state"          pass on lo0
         RULES="$RULES\npass out proto { tcp, udp } from any to any port domain keep state"          pass in proto tcp from any to any port ssh keep state
         RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state"          pass out proto { tcp, udp } from any to any port domain keep state
         RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps"          pass out inet proto icmp all icmp-type echoreq keep state
         RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc"          pass out inet proto udp from any port bootpc to any port bootps
           pass in inet proto udp from any port bootps to any port bootpc'
   
         if ifconfig lo0 inet6 >/dev/null 2>&1; then          if ifconfig lo0 inet6 >/dev/null 2>&1; then
                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol"                  RULES="$RULES
                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"                  pass out inet6 proto icmp6 all icmp6-type neighbrsol
                 RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"                  pass in inet6 proto icmp6 all icmp6-type neighbradv
                 RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"                  pass out inet6 proto icmp6 all icmp6-type routersol
                 RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"                  pass in inet6 proto icmp6 all icmp6-type routeradv
                 RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"                  pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server
                   pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
         fi          fi
         RULES="$RULES\npass in proto carp keep state (no-sync)"  
         RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"          RULES="$RULES
           pass in proto carp keep state (no-sync)
           pass out proto carp !received-on any keep state (no-sync)"
   
           # Don't kill NFS.
         if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then          if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
                 # Don't kill NFS.                  RULES="set reassemble yes no-df
                 RULES="set reassemble yes no-df\n$RULES"                  $RULES
                 RULES="$RULES\npass in proto { tcp, udp } from any port { sunrpc, nfsd } to any"                  pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
                 RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"                  pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
         fi          fi
         print -- "$RULES" | pfctl -f -          print -- "$RULES" | pfctl -f -
         pfctl -e          pfctl -e
Legend:
Removed from v.1.509  
changed lines
  Added in v.1.510