View Single Post
  #5   (View Single Post)  
Old 29th October 2018
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default

Where is the temporary ruleset located in the event that the admin's ruleset is not loaded?

Edit: I looked at the source code for rc and found the following code. I'm guessing this is what you are referring to.

Code:
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
	RULES="
	block all
	pass on lo0
	pass in proto tcp from any to any port ssh keep state
	pass out proto { tcp, udp } from any to any port domain keep state
	pass out inet proto icmp all icmp-type echoreq keep state
	pass out inet proto udp from any port bootpc to any port bootps
	pass in inet proto udp from any port bootps to any port bootpc"

	if ifconfig lo0 inet6 >/dev/null 2>&1; then
		RULES="$RULES
		pass out inet6 proto icmp6 all icmp6-type neighbrsol
		pass in inet6 proto icmp6 all icmp6-type neighbradv
		pass out inet6 proto icmp6 all icmp6-type routersol
		pass in inet6 proto icmp6 all icmp6-type routeradv
		pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server
		pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
	fi

	RULES="$RULES
	pass in proto carp keep state (no-sync)
	pass out proto carp !received-on any keep state (no-sync)"

	if (($(sysctl -n vfs.mounts.nfs 2>/dev/null) > 0)); then
		# Don't kill NFS.
		RULES="set reassemble yes no-df
		$RULES
		pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
		pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
	fi

	print -- "$RULES" | pfctl -f -
	pfctl -e
fi

Last edited by bsdsource; 29th October 2018 at 05:07 PM.
Reply With Quote