There is an example:
set pf=YES in /etc/rc.conf.local reboot
pfctl -sr will give you:
block drop all
pass on lo0 all
pass in proto tcp from any to any port = ssh keep state
pass out proto tcp from any to any port = domain keep state
pass out proto udp from any to any port = domain keep state
pass out inet proto icmp all icmp-type echoreq keep state
pass proto pfsync all
pass proto carp all
i.e Invoked from /etc/rc
if [ "X${pf}" != X"NO" ]; then
RULES="block all"
RULES="$RULES\npass on lo0"
RULES="$RULES\npass in proto tcp from any to any port 22 keep state"
RULES="$RULES\npass out proto { tcp, udp } from any to any port 53 keep
state"
RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
RULES="$RULES\npass proto { pfsync, carp }"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*)
# don't kill NFS
RULES="scrub in all no-df\n$RULES"
RULES="$RULES\npass in proto udp from any port { 111, 2049 } to
any"
RULES="$RULES\npass out proto udp from any to any port { 111, 2049
}"
;;
esac
echo $RULES | pfctl -f - -e
fi
On Tue, Aug 23, 2005 at 06:57:43PM -0400, Will H. Backman wrote:
I'd say punch a hole for SSH. This is because I consider a *NIX box that can
not be managed via SSH to be borken.
And, of course, we are only talking about having this as an example and maybe
mentioned in a FAQ someplace and not turned on by defualt, right?
