use "!received-on any" to absolutely ensure that we're not forwarding

carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler

diff --git a/etc/rc b/etc/rc
index eb7d7c7..599e99d 100644 (file)
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-#      $OpenBSD: rc,v 1.423 2014/03/15 22:13:36 sthen Exp $
+#      $OpenBSD: rc,v 1.424 2014/04/19 16:07:09 henning Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -336,13 +336,14 @@ if [ X"${pf}" != X"NO" ]; then
                RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
                RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
        fi
-       RULES="$RULES\npass proto carp keep state (no-sync)"
+       RULES="$RULES\npass in proto carp keep state (no-sync)"
+       RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
        case `sysctl vfs.mounts.nfs 2>/dev/null` in
        *[1-9]*)
                # don't kill NFS
                RULES="set reassemble yes no-df\n$RULES"
                RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
-               RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
+               RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 } !received-on any"
                ;;
        esac
        echo $RULES | pfctl -f -