summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorhalex <halex@openbsd.org>2013-02-13 23:11:14 +0000
committerhalex <halex@openbsd.org>2013-02-13 23:11:14 +0000
commit2b09cda0b04e91858e622df4d35a1968cfd71545 (patch)
tree886199628ca56c552079c3d2210c15cced3db0b7
parentPipex did panic when the 0 length mppe is given by ioctl. Return (diff)
downloadwireguard-openbsd-2b09cda0b04e91858e622df4d35a1968cfd71545.tar.xz
wireguard-openbsd-2b09cda0b04e91858e622df4d35a1968cfd71545.zip
Add a 'block' rule prior to the state creating 'pass' rule. This
way, TCP packets of e.g. timed out states are blocked rather than passed by the implicit default pass rule. sthen@ benno@ phessler@ mikeb@ agrees
-rw-r--r--etc/pf.conf5
1 files changed, 3 insertions, 2 deletions
diff --git a/etc/pf.conf b/etc/pf.conf
index da750651432..963bd28ed19 100644
--- a/etc/pf.conf
+++ b/etc/pf.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: pf.conf,v 1.51 2013/01/26 17:12:21 claudio Exp $
+# $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
@@ -16,7 +16,8 @@ set skip on lo
# anchor for relayd(8)
#anchor "relayd/*"
-pass # to establish keep-state
+block # block stateless traffic
+pass # establish keep-state
# rules for spamd(8)
#table <spamd-white> persist