PF.BOOT.CONF(5) | File Formats Manual | PF.BOOT.CONF(5) |
pf.boot.conf
—
initial configuration for packet filter
The pf.boot.conf
file is used as initial
configuration for the pf(4) packet
filter. This file is loaded before the network is configured by the
rc.d(8) script
network.
Its purpose is to protect the machine from possible attacks between the
network configuration and the loading of the final ruleset.
The syntax of this file is described in pf.conf(5).
Note that at the stage the configuration is loaded, the network interface(s) do not have an IP address yet, so you cannot use rules that derive addresses from an interface (for example: “pass out from any to fxp0”).
When using NFS (e.g. diskless situations), you'll also need the following rules in addition to the default rules to unblock NFS:
scrub in all no-df pass in proto udp from any port { 111, 2049 } to any pass out proto udp from any to any port { 111, 2049 }
August 17, 2005 | NetBSD 10.99 |