View Single Post
  #5   (View Single Post)  
Old 13th May 2009
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Arrow

Mine is actually quite extensive...
Code:
block in log
pass out all
Now I know, I know...scrub is useful, tight things more on outside, etc, etc. This is a personal machine that doesn't spend much time "out there".

Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles):

http://undeadly.org/cgi?action=artic...20060927091645

Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is:

block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address

Code:
rule expands to:
block drop in on ! lo0 inet from 127.0.0.1/8 to any

network 127.0.0.0/8         vr0            lo0
----------------------> 10.0.0.1 - |  127.0.0.1  |
                                   |   PF BOX    |
antispoof applies to aliases too: http://kerneltrap.org/mailarchive/op...8/7/15/2513284
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote