diff options
| author | Bradley Taunt <bt@btxx.org> | 2025-07-12 12:10:30 -0400 |
|---|---|---|
| committer | Bradley Taunt <bt@btxx.org> | 2025-07-12 12:10:30 -0400 |
| commit | 079bc48a159e0829a76fcce10199fce58df5ccb6 (patch) | |
| tree | 1a786924c0f23cf9be83e757741d900d97f1ef06 /posts | |
| parent | 54baa5d361708b338f61db4819b17a7c3e809d8c (diff) | |
Update pf.conf rules in router post
Diffstat (limited to 'posts')
| -rw-r--r-- | posts/openbsd-router.md | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/posts/openbsd-router.md b/posts/openbsd-router.md index 149be72..84bb589 100644 --- a/posts/openbsd-router.md +++ b/posts/openbsd-router.md @@ -43,7 +43,7 @@ With all of the hardware on-hand, do the following: - Plug an ethernet cable from your ISP's modem into the ethernet port on the Mac Mini - Plug in the USB to ethernet adapter into one of the USB 3.0 ports on the Mac Mini -- Connect and ethernet cable from the adapter to the main Eero gateway +- Connect an ethernet cable from the adapter to the main Eero gateway Diagram for reference: @@ -99,6 +99,9 @@ int_if = "axen0" set skip on lo +# Block everything by default +block all + # Normalize incoming packets match in all scrub (no-df random-id max-mss 1440) @@ -131,6 +134,12 @@ set skip on lo - Skips packet filtering on loopback. ~~~ +block all +~~~ + +- Block all sources by default (before telling it what to explicitly allow) + +~~~ match in all scrub (no-df random-id max-mss 1440) ~~~ @@ -310,6 +319,9 @@ xbox = "192.168.2.100" set skip on lo +# Block everything by default +block all + # Perform source-port randomization for all hosts which are not the xbox match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535 |