"Travis H." <[EMAIL PROTECTED]> writes:
> Lots of things in the startup scripts will fail to work or hang
> indefinitely if you block outbound stuff. I find it necessary to
> allow at least outbound DNS in order for the machine to boot in
> reasonable time.
The OpenBSD /etc/rc has this code to initialize PF before any interfaces
are up:
if [ "X${pf}" != X"NO" ]; then
RULES="block all"
RULES="$RULES\npass on lo0"
RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep
state"
RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
if ifconfig lo0 inet6 >/dev/null 2>&1; then
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
neighbrsol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
neighbradv"
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
routersol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
routeradv"
fi
RULES="$RULES\npass proto { pfsync, carp }"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*)
# don't kill NFS
RULES="scrub in all no-df\n$RULES"
RULES="$RULES\npass in proto udp from any port { 111, 2049 } to
any"
RULES="$RULES\npass out proto udp from any to any port { 111,
2049 }"
;;
esac
echo $RULES | pfctl -f - -e
fi
- and after dealing with the contents of /etc/sysctl.conf and
/etc/mixerctl.conf,
# set hostname, turn on network
echo 'starting network'
. /etc/netstart
if [ "X${pf}" != X"NO" ]; then
if [ -f ${pf_rules} ]; then
pfctl -f ${pf_rules}
fi
fi
then of courrse the rest of what you expect from a startup script.
Which means essentially an empty or invalid pf.conf will leave you with
a system where you are able to log in, unless of course you managed to
break your network in other ways.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
