> Attending a firewall talk at a nerdy summer camp [0], I decided to check > out the current, default pf.conf. There is no reason to exclude lo0 in > the block rule for X11, since the lo interface group is skipped. > Additionally, I have made the comments more uniform.
Yes, and if someone decides they can't use "set skip on lo0" for some other reason, they will be opening their X wide open. On the other hand, lo0 is specifically permitted so that people who want to talk to their X server from inside a chroot can talk to it over lo0. Anyways, this is a sample configuration to get people started at learning "best practices". Best practices almost always mean "be as exact as you can with what you want". If there was a test on "best practices", you would fail it. Being exact is good. Having two lines 12 apart interact in a favorable way is normally bad. > --- pf.conf.orig Wed Jul 28 23:52:39 2010 > +++ pf.conf Wed Jul 28 23:53:53 2010 > @@ -6,16 +6,16 @@ > > set skip on lo > > -# filter rules and anchor for ftp-proxy(8) > +# Filter rules and anchor for ftp-proxy(8). > #anchor "ftp-proxy/*" > #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > > -# anchor for relayd(8) > +# Anchor for relayd(8). > #anchor "relayd/*" > > pass # to establish keep-state > > -# rules for spamd(8) > +# Rules for spamd(8). > #table <spamd-white> persist > #table <nospamd> persist file "/etc/mail/nospamd" > #pass in on egress proto tcp from any to any port smtp \ > @@ -27,5 +27,5 @@ > > #block in quick from urpf-failed to any # use with care > > -# By default, do not permit remote connections to X11 > -block in on ! lo0 proto tcp to port 6000:6010 > +# By default, do not permit remote connections to X11. > +block in proto tcp to port 6000:6010
