Anycast with ospf and ipv6 could be a fun tutorial...
/S
On 2 Apr 2017 22:27, "Luke Small" <lukensm...@gmail.com> wrote:
> It might be a fun idea to share what a really locked down desktop system
> pf.conf would look like like if you are running a chain of DNS services (or
> something that would be good to tightly control) like local ntpd, unbound,
> and dnscrypt_proxy where you have local traffic locked down as well so that
> an aberrant process or even root cannot connect to the local ports and
> services eg.
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 53 user
> {peter, _ntpd}
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 53
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 53 user
> _unbound
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 53
>
>
>
> pass out quick on lo0 proto {tcp, udp} from self to any port 40 user
> _unbound
>
> block out log quick on lo0 proto {tcp, udp} from self to any port 40
>
>
> pass in quick on lo0 proto {tcp, udp} from any to self port 40 user
> _dnscrypt_proxy
>
> block in log quick on lo0 proto {tcp, udp} from any to self port 40
>
>
> pass out quick on egress proto {tcp, udp} from self to any port 53 user
> _dnscrypt_proxy
>
> block out log quick on egress proto {tcp, udp} from self to any port 53
>
> Maybe there is a similar case that can be made, possibly with a reverse
> http proxy setup that would make more sense for security in the case that a
> vulnerability is discovered.
