mirror of
https://github.com/openbsd/src.git
synced 2024-12-22 16:42:56 -08:00
e407216449
PF ruleset. This is not a complete block on _pbuild being able to communicate (e.g. non-TCP/UDP protocols don't have a PCB with userid, so PF can't restrict in those cases) but avoids some cases, and in particular makes it more obvious when a port does things like download extra distfiles or dependencies as part of the build process. Slight tweak from a diff by espie@.
15 lines
388 B
Plaintext
15 lines
388 B
Plaintext
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
|
|
#
|
|
# See pf.conf(5) and /etc/examples/pf.conf
|
|
|
|
set skip on lo
|
|
|
|
block return # block stateless traffic
|
|
pass # establish keep-state
|
|
|
|
# By default, do not permit remote connections to X11
|
|
block return in on ! lo0 proto tcp to port 6000:6010
|
|
|
|
# Port build user does not need network
|
|
block return out log proto {tcp udp} user _pbuild
|