FreeBSD Bugzilla – Attachment 249387 Details for
Bug 277875
pfctl cowardly refuses to load rules, broken between 8c94ed992702 & f29af8618bf9
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
abridged pf.conf
pf.conf (text/plain), 2.56 KB, created by
Dave Cottlehuber
on 2024-03-21 23:00:33 UTC
(
hide
)
Description:
abridged pf.conf
Filename:
MIME Type:
Creator:
Dave Cottlehuber
Created:
2024-03-21 23:00:33 UTC
Size:
2.56 KB
patch
obsolete
>######################################################################### ># macros > ># interfaces and networks >extl_if = "ng0" >lan_if = "{ dpni1, dpni2, dpni3 }" >wifi_if = "dpni2" >loop_if = "lo0" >jail_if = "lo1" >dmz_if = "dpni1" > ># networks >jail_net = $jail_if:network >internet = $extl_if:network >dmz_net = $dmz_if:network > ># services >web = "{ http, https }" >dns = "{ domain }" > ># misc >both = "{ udp, tcp }" >tcp_flags = "flags S/FSRA keep state" >ratelimit = "(max-src-conn 15, max-src-conn-rate 5/3, overload <ratelimit> flush global)" > ># tables > >table <martians> const { \ > 0/8, 10/8, 100.64/10, 127/8, 169.254/16, 172.16/12, 192/24, \ > 192.0.2/24, 192.88.99/24, 192.168/16, 198.18/15, 198.51.100/24, \ > 203.0.113/24, 224/4, 240/4, 255.255.255.255, \ > ::1/128, ::ffff:0:0/96, 64:ff9b::/96, 100::/64, 2001:20::/28, \ > 2001:db8::/32 } ># , fc00::/7 } > >table <blocklist> persist file "/etc/pf.blocklist" >table <ratelimit> persist file "/etc/pf.ratelimit" > >######################################################################### ># options > >set skip on { $loop_if, $jail_if } >set skip on $lan_if > >set block-policy drop >set loginterface $extl_if > ># tidy packets are safe packets > ># fiddle with zerotier bullshit >scrub in on $extl_if all fragment reassemble > >######################################################################### ># ethernet > >######################################################################### ># normalisation > >######################################################################### ># queueing > >######################################################################### ># translation > >## streaming > >######################################################################### ># filters > ># all traffic is blocked and logged unless explicitly stated otherwise >block log all > ># traffic shaping >match on $extl_if all dnqueue (2, 1) > ># streaming ># pass in quick proto tcp to 127.0.0.1 port 9000 > ># generally allow icmp internally >block in log quick on $extl_if proto { icmp, igmp, icmp6 } >pass in quick proto { icmp, igmp, icmp6 } >pass out quick proto { icmp, igmp, icmp6 } > ># Allow ping/ping6 in both directions (in/out). >pass quick inet6 proto icmp6 icmp6-type echoreq label "icmp" >pass quick inet proto icmp icmp-type echoreq label "icmp" > ># internet plumbing >pass in quick on $extl_if proto udp to port $dns label "dns" >pass in quick on $extl_if proto tcp to port $dns label "dns" >pass out quick on $extl_if proto udp to port $dns label "dns" >pass out quick on $extl_if proto tcp to port $dns $tcp_flags label "dns" > >pass out log all label "trash"
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=249387">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 277875
:
249387
|
249388
|
249438