absolutely prevent forwarding carp or NFS/rpc using the shiny new
received-on any.
can only minimally test that here. need at least one carp and one
diskless test.
Index: rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.420
diff -u -p -r1.420 rc
--- rc 19 Jan 2014 09:39:04 -0000 1.420
+++ rc 21 Jan 2014 01:53:59 -0000
@@ -335,13 +335,14 @@ if [ X"${pf}" != X"NO" ]; then
RULES="$RULES\npass out inet6 proto udp from any port
dhcpv6-client to any port dhcpv6-server"
RULES="$RULES\npass in inet6 proto udp from any port
dhcpv6-server to any port dhcpv6-client"
fi
- RULES="$RULES\npass proto carp keep state (no-sync)"
+ RULES="$RULES\npass in proto carp keep state (no-sync)"
+ RULES="$RULES\npass out proto carp !received-on any keep state
(no-sync)"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*)
# don't kill NFS
RULES="set reassemble yes no-df\n$RULES"
RULES="$RULES\npass in proto { tcp, udp } from any port { 111,
2049 } to any"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ 111, 2049 }"
+ RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ 111, 2049 } !received-on any"
;;
esac
echo $RULES | pfctl -f -
