problem

assume you have pf configured so it blocks everything. and it just so happens that you want to offer some files via nfs to some special hosts. to do that you must allow the clients to be able to connect to mountd. on openbsd there is no -p lowport,highport the could tell mountd which range to take and so mountd uses some random port below 1024. and if you dont want to use -n to open the firewall to all unpriv. ports you have a problem.

solution

use an anchors to define some kind of "entry" point in a given ruleset and find out, on what ports mountd actually runs. for that i wrote a tiny shell-script that actually uses awk to create the pf-rules. those rules are then sent to pf via pfctl:

$> sh mountd-rules.sh | pfctl -a anchorname:mountd -f -


last update: 040608 00:17:15