From 048968b8e0586eb86ad2c406fe0273670c1c1a43 Mon Sep 17 00:00:00 2001
From: maddaat <git@maddaat.org>
Date: Mon, 13 Apr 2026 18:01:58 +0400
Subject: Add some files

---
 deploy      |  4 ++++
 etc/hosts   |  2 ++
 etc/pf.conf | 14 ++++++++++++++
 files.sh    |  2 ++
 4 files changed, 22 insertions(+)
 create mode 100644 etc/hosts
 create mode 100644 etc/pf.conf

diff --git a/deploy b/deploy
index 7539eb5..bf3cab3 100755
--- a/deploy
+++ b/deploy
@@ -49,6 +49,10 @@ fi
 . "$REPO/files.sh"
 
 if [ "$DRY" != 'YES' ]; then
+    echo '==='
+    echo 'Apply packet filter rules'
+    pfctl -f /etc/pf.conf && echo 'OK' || echo 'FAIL'
+
     echo '==='
     rcctl restart portmap
     rcctl restart httpd nfsd slowcgi sshd
diff --git a/etc/hosts b/etc/hosts
new file mode 100644
index 0000000..d5be630
--- /dev/null
+++ b/etc/hosts
@@ -0,0 +1,2 @@
+127.0.0.1	localhost
+::1		localhost
diff --git a/etc/pf.conf b/etc/pf.conf
new file mode 100644
index 0000000..ecf2183
--- /dev/null
+++ b/etc/pf.conf
@@ -0,0 +1,14 @@
+#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+#
+# See pf.conf(5) and /etc/examples/pf.conf
+
+set skip on lo
+
+block return	# block stateless traffic
+pass		# establish keep-state
+
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
diff --git a/files.sh b/files.sh
index 6221d4d..8314822 100644
--- a/files.sh
+++ b/files.sh
@@ -2,7 +2,9 @@ install_dir  0755 root wheel  '/etc'
 install_file 0600 root wheel  '/etc/doas.conf'
 install_file 0644 root wheel  '/etc/exports'
 install_file 0644 root wheel  '/etc/fstab'
+install_file 0644 root wheel  '/etc/hosts'
 install_file 0644 root wheel  '/etc/httpd.conf'
+install_file 0600 root wheel  '/etc/pf.conf'
 install_file 0644 root wheel  '/etc/rc.conf.local'
 install_file 0644 root wheel  '/etc/shells'
 install_dir  0755 root wheel  '/etc/ssh'
-- 
cgit v1.2.3