There is an example: set pf=YES in /etc/rc.conf.local reboot
pfctl -sr will give you: block drop all pass on lo0 all pass in proto tcp from any to any port = ssh keep state pass out proto tcp from any to any port = domain keep state pass out proto udp from any to any port = domain keep state pass out inet proto icmp all icmp-type echoreq keep state pass proto pfsync all pass proto carp all i.e Invoked from /etc/rc if [ "X${pf}" != X"NO" ]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port 22 keep state" RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep state" RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" RULES="$RULES\npass proto { pfsync, carp }" case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # don't kill NFS RULES="scrub in all no-df\n$RULES" RULES="$RULES\npass in proto udp from any port { 111, 2049 } to any" RULES="$RULES\npass out proto udp from any to any port { 111, 2049 }" ;; esac echo $RULES | pfctl -f - -e fi
On Tue, Aug 23, 2005 at 06:57:43PM -0400, Will H. Backman wrote: I'd say punch a hole for SSH. This is because I consider a *NIX box that can not be managed via SSH to be borken. And, of course, we are only talking about having this as an example and maybe mentioned in a FAQ someplace and not turned on by defualt, right?