4 files changed, 22 insertions, 0 deletions

diff --git a/deploy b/deploy
index 7539eb5..bf3cab3 100755
--- a/deploy
+++ b/deploy
@@ -50,6 +50,10 @@ fi
 
 if [ "$DRY" != 'YES' ]; then
     echo '==='
+    echo 'Apply packet filter rules'
+    pfctl -f /etc/pf.conf && echo 'OK' || echo 'FAIL'
+
+    echo '==='
     rcctl restart portmap
     rcctl restart httpd nfsd slowcgi sshd
 
diff --git a/etc/hosts b/etc/hosts
new file mode 100644
index 0000000..d5be630
--- /dev/null
+++ b/etc/hosts
@@ -0,0 +1,2 @@
+127.0.0.1	localhost
+::1		localhost
diff --git a/etc/pf.conf b/etc/pf.conf
new file mode 100644
index 0000000..ecf2183
--- /dev/null
+++ b/etc/pf.conf
@@ -0,0 +1,14 @@
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+
+set skip on lo
+
+block return	# block stateless traffic
+pass		# establish keep-state
+
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
diff --git a/files.sh b/files.sh
index 6221d4d..8314822 100644
--- a/files.sh
+++ b/files.sh
@@ -2,7 +2,9 @@ install_dir  0755 root wheel  '/etc'
 install_file 0600 root wheel  '/etc/doas.conf'
 install_file 0644 root wheel  '/etc/exports'
 install_file 0644 root wheel  '/etc/fstab'
+install_file 0644 root wheel  '/etc/hosts'
 install_file 0644 root wheel  '/etc/httpd.conf'
+install_file 0600 root wheel  '/etc/pf.conf'
 install_file 0644 root wheel  '/etc/rc.conf.local'
 install_file 0644 root wheel  '/etc/shells'
 install_dir  0755 root wheel  '/etc/ssh'