9c1da17e90
derive IP address(es) from the interface (e.g "... from any to fxp0"). This however, creates window for possible attacks from the network. Implement the solution proposed by YAMAMOTO Takashi: Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot script before starting the network. People who don't like the default rules can override it with their own /etc/pf.boot.conf. The default rules have been obtained from OpenBSD. No objections on: tech-security
39 lines
755 B
Bash
Executable File
39 lines
755 B
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $NetBSD: pf_boot,v 1.1 2005/08/23 12:12:56 peter Exp $
|
|
#
|
|
|
|
# PROVIDE: pf_boot
|
|
# REQUIRE: root beforenetlkm mountcritlocal tty
|
|
# BEFORE: network
|
|
|
|
$_rc_subr_loaded . /etc/rc.subr
|
|
|
|
name="pf_boot"
|
|
rcvar="pf"
|
|
start_cmd="pf_boot_start"
|
|
stop_cmd=":"
|
|
|
|
pf_boot_start()
|
|
{
|
|
if [ "$autoboot" != "yes" ]; then
|
|
err 1 "This script should only be executed at boot time."
|
|
fi
|
|
|
|
if [ -f /etc/pf.boot.conf ]; then
|
|
/sbin/pfctl -q -f /etc/pf.boot.conf
|
|
elif [ -f /etc/defaults/pf.boot.conf ]; then
|
|
/sbin/pfctl -q -f /etc/defaults/pf.boot.conf
|
|
else
|
|
warn "can't load initial pf rules; pf start aborted."
|
|
echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
|
|
kill -TERM $$
|
|
exit 1
|
|
fi
|
|
|
|
/sbin/pfctl -q -e
|
|
}
|
|
|
|
load_rc_config $name
|
|
run_rc_command "$1"
|