diff options
author | 2013-02-13 23:11:14 +0000 | |
---|---|---|
committer | 2013-02-13 23:11:14 +0000 | |
commit | 2b09cda0b04e91858e622df4d35a1968cfd71545 (patch) | |
tree | 886199628ca56c552079c3d2210c15cced3db0b7 | |
parent | Pipex did panic when the 0 length mppe is given by ioctl. Return (diff) | |
download | wireguard-openbsd-2b09cda0b04e91858e622df4d35a1968cfd71545.tar.xz wireguard-openbsd-2b09cda0b04e91858e622df4d35a1968cfd71545.zip |
Add a 'block' rule prior to the state creating 'pass' rule. This
way, TCP packets of e.g. timed out states are blocked rather than
passed by the implicit default pass rule.
sthen@ benno@ phessler@ mikeb@ agrees
-rw-r--r-- | etc/pf.conf | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/etc/pf.conf b/etc/pf.conf index da750651432..963bd28ed19 100644 --- a/etc/pf.conf +++ b/etc/pf.conf @@ -1,4 +1,4 @@ -# $OpenBSD: pf.conf,v 1.51 2013/01/26 17:12:21 claudio Exp $ +# $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 @@ -16,7 +16,8 @@ set skip on lo # anchor for relayd(8) #anchor "relayd/*" -pass # to establish keep-state +block # block stateless traffic +pass # establish keep-state # rules for spamd(8) #table <spamd-white> persist |