this one is still open as well. oks?
* Henning Brauer <lists-openbsdt...@bsws.de> [2014-01-21 03:24]:
> absolutely prevent forwarding carp or NFS/rpc using the shiny new
> received-on any.
>
> can only minimally test that here. need at least one carp and one
> diskless test.
>
> Index: rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.420
> diff -u -p -r1.420 rc
> --- rc 19 Jan 2014 09:39:04 -0000 1.420
> +++ rc 21 Jan 2014 01:53:59 -0000
> @@ -335,13 +335,14 @@ if [ X"${pf}" != X"NO" ]; then
> RULES="$RULES\npass out inet6 proto udp from any port
> dhcpv6-client to any port dhcpv6-server"
> RULES="$RULES\npass in inet6 proto udp from any port
> dhcpv6-server to any port dhcpv6-client"
> fi
> - RULES="$RULES\npass proto carp keep state (no-sync)"
> + RULES="$RULES\npass in proto carp keep state (no-sync)"
> + RULES="$RULES\npass out proto carp !received-on any keep state
> (no-sync)"
> case `sysctl vfs.mounts.nfs 2>/dev/null` in
> *[1-9]*)
> # don't kill NFS
> RULES="set reassemble yes no-df\n$RULES"
> RULES="$RULES\npass in proto { tcp, udp } from any port { 111,
> 2049 } to any"
> - RULES="$RULES\npass out proto { tcp, udp } from any to any port
> { 111, 2049 }"
> + RULES="$RULES\npass out proto { tcp, udp } from any to any port
> { 111, 2049 } !received-on any"
> ;;
> esac
> echo $RULES | pfctl -f -
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
