From 0bd21084c42ab6e935c5a53e1ee12aa7bca3b835 Mon Sep 17 00:00:00 2001 From: Phantasm Date: Fri, 22 Nov 2024 19:45:45 +0100 Subject: [PATCH] docs openbsd: remove firewall configuation from install instructions It isn't in any of the install docs, why should it be here. --- docs/installation/openbsd_en.md | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/docs/installation/openbsd_en.md b/docs/installation/openbsd_en.md index 4deed6550..76b3d69c5 100644 --- a/docs/installation/openbsd_en.md +++ b/docs/installation/openbsd_en.md @@ -304,39 +304,6 @@ If the configuration is correct, enable and start the `relayd` service: Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. - -#### pf -Enabling and configuring pf is highly recommended. -In /etc/pf.conf, insert the following configuration: - -``` -# Macros -if="" -authorized_ssh_clients="any" - -# Skip traffic on loopback interface -set skip on lo - -# Default behavior -set block-policy drop -block in log all -pass out quick - -# Security features -match in all scrub (no-df random-id) -block in log from urpf-failed - -# Rules -pass in quick on $if inet proto icmp to ($if) icmp-type { echoreq unreach paramprob trace } # ICMP -pass in quick on $if inet6 proto icmp6 to ($if) icmp6-type { echoreq unreach paramprob timex toobig } # ICMPv6 -pass in quick on $if proto tcp to ($if) port { http https } # relayd/httpd -pass in quick on $if proto tcp from $authorized_ssh_clients to ($if) port ssh -``` - -Replace ** by your server's network interface name (which you can get with ifconfig). Consider replacing the content of the authorized\_ssh\_clients macro by, for example, your home IP address, to avoid SSH connection attempts from bots. - -Check pf's configuration by running `pfctl -nf /etc/pf.conf`, load it with `pfctl -f /etc/pf.conf` and enable pf at boot with `rcctl enable pf`. - ### Starting pleroma at boot Copy the startup script and make sure it's executable: