this one is still open as well. oks? * Henning Brauer <lists-openbsdt...@bsws.de> [2014-01-21 03:24]: > absolutely prevent forwarding carp or NFS/rpc using the shiny new > received-on any. > > can only minimally test that here. need at least one carp and one > diskless test. > > Index: rc > =================================================================== > RCS file: /cvs/src/etc/rc,v > retrieving revision 1.420 > diff -u -p -r1.420 rc > --- rc 19 Jan 2014 09:39:04 -0000 1.420 > +++ rc 21 Jan 2014 01:53:59 -0000 > @@ -335,13 +335,14 @@ if [ X"${pf}" != X"NO" ]; then > RULES="$RULES\npass out inet6 proto udp from any port > dhcpv6-client to any port dhcpv6-server" > RULES="$RULES\npass in inet6 proto udp from any port > dhcpv6-server to any port dhcpv6-client" > fi > - RULES="$RULES\npass proto carp keep state (no-sync)" > + RULES="$RULES\npass in proto carp keep state (no-sync)" > + RULES="$RULES\npass out proto carp !received-on any keep state > (no-sync)" > case `sysctl vfs.mounts.nfs 2>/dev/null` in > *[1-9]*) > # don't kill NFS > RULES="set reassemble yes no-df\n$RULES" > RULES="$RULES\npass in proto { tcp, udp } from any port { 111, > 2049 } to any" > - RULES="$RULES\npass out proto { tcp, udp } from any to any port > { 111, 2049 }" > + RULES="$RULES\npass out proto { tcp, udp } from any to any port > { 111, 2049 } !received-on any" > ;; > esac > echo $RULES | pfctl -f - >
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/