PF (Packet Filtering)

580阅读 0评论2011-10-11 ulovko
分类:BSD

1:
  1. PF( Packet Filtering)
  2. vim /etc/rc.conf
  3. pf_enable="YES"
  4. pflog_enable="YES"
  5. :wq
  6. vim /etc/pf.conf
  7. #1. Macros
  8. #2. Tables
  9. #3. Options
  10. #4. Packet normalization
  11. #5. Bandwidth management
  12. #6. Translation
  13. #7. Redirection
  14. #8. Packet filtering
  15. interface="em0"
  16. scrub in all
  17. block in on $interface
  18. # allow SSH and POP3 traffic from our network
  19. pass in on $interface proto tcp from 192.168.1.0/24 to $interface port 22
  20. pass in on $interface proto tcp from 192.168.1.0/24 to $interface port 110
  21. # allow SMTP (25), HTTP (80), and HTTPS (443) to the world
  22. pass in on $interface proto tcp from any to $interface port 25
  23. pass in on $interface proto tcp from any to $interface port 80
  24. pass in on $interface proto tcp from any to $interface port 443
  25. # allow the world to query our DNS server
  26. pass in on $interface proto tcp from any to $interface port 53
  27. pass in on $interface proto udp from any to $interface port 53
  28. # allow outgoing traffic
  29. pass out on $interface proto { tcp, udp } all
  30. :wq



  34. # 检查语法 但不加载规则
  35. # pfctl -nf /etc/pf.conf
  36. # 加载规则
  37. # pfctl -f /etc/pf.conf
  38. # 查看 filter规则
  39. # pfctl -sr (-s rules)
  40. # pfctl -s info
  41. # 清空所有规则
  42. # pfctl -Fa (-F all)
  43. # pf -e (/etc/rc.d/pf start)
  44. # pf -d (/etc/rc.d/pf stop)
  45. --------------------------------------------------------------------
  46. block in all
  47. pass out all

  49. tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }"
  50. udp_services = "{ domain }"
  51. block all
  52. pass out proto tcp to any port $tcp_services
  53. pass out proto udp to any port $udp_services

  55. Gateway:
  56. Vim /etc/rc.conf
  57. gateway_enable="YES" # for ipv4
  58. ipv6_gateway_enable="YES" # for ipv6

  60. ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE
  61. int_if = "re1" # macro for internal interface
  62. localnet = $int_if:192.168.1.0/24

  64. client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http,\
  65. https, 446, cvspserver, 2628, 5999, 8000, 8080 }"
  66. udp_services = "{ domain, ntp }"

  68. # ext_if IP address could be dynamic, hence ($ext_if)
  69. nat on $ext_if from $localnet to any -> ($ext_if)
  70. block all
  71. pass in inet proto tcp from any to $ext_if port ssh
  72. pass quick inet proto { tcp, udp } to any port $udp_services

  74. # For each packet or
  75. connection evaluated by PF, the last matching rule in the rule set is the one
  76. that is applied. quick keyword offers an escape from the ordinary sequence
  77. The rule processing stops without considering any further rules that
  78. might have matched the packet.

  80. pass from { lo0, $localnet } to any keep state
2:

3:

4:

5:

6:
上一篇:Building FreeBSD from Source
下一篇:FreeBSD Monitoring