It might be a fun idea to share what a really locked down desktop system
pf.conf would look like like if you are running a chain of DNS services (or
something that would be good to tightly control) like local ntpd, unbound,
and dnscrypt_proxy where you have local traffic locked down as well so that
an aberrant process or even root cannot connect to the local ports and
services eg.
pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
{peter, _ntpd}
block out log quick on lo0 proto {tcp, udp} from self to any port 53
pass in quick on lo0 proto {tcp, udp} from any to self port 53 user _unbound
block in log quick on lo0 proto {tcp, udp} from any to self port 53
pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
_unbound
block out log quick on lo0 proto {tcp, udp} from self to any port 40
pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
_dnscrypt_proxy
block in log quick on lo0 proto {tcp, udp} from any to self port 40
pass out quick on egress proto {tcp, udp} from self to any port 53 user
_dnscrypt_proxy
block out log quick on egress proto {tcp, udp} from self to any port 53
Maybe there is a similar case that can be made, possibly with a reverse
http proxy setup that would make more sense for security in the case that a
vulnerability is discovered.
