blob: 633f3ef27f3d9a606d243cbe9f59dbbba6a3be6b (
plain) (
tree)
|
|
egress = "${BOXCONF_DEFAULT_INTERFACE}"
allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
acme_standalone_port = ${acme_standalone_port}
acme_standalone_user = ${acme_uid}
nfscbd_port = ${nfscbd_port}
set block-policy return
set skip on lo
scrub in on \$egress all fragment reassemble no-df
$([ "${acme_standalone:-}" = true ] && echo \
'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
[ -n "${redirect_tcp_ports:-}" ] && printf \
'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
[ -n "${redirect_udp_ports:-}" ] && printf \
'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
antispoof quick for \$egress
block all
pass out quick on \$egress inet
pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
$([ "${acme_standalone:-}" = true ] && echo \
'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
[ -n "${allowed_tcp_ports:-}" ] && echo \
'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
[ -n "${allowed_udp_ports:-}" ] && echo \
'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port')
|
