block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
展开后:
block out on fxp0 from 192.168.0.1 to any
block out on fxp0 from 10.5.32.6 to any
多种列表可以在规则中使用,并不仅仅限于过滤规则:
rdr on fxp0 proto tcp from any to any port { 22 80 } ->
192.168.0.6
block out on fxp0 proto { tcp udp } from { 192.168.0.1,
10.5.32.6 } to any port { ssh telnet }
+ 表.
+ 上面的所有项但使用!(非)修饰词
+ 使用列表的一系列地址.
+ 关键字 any 代表所有地址
+ 关键字 all 是 from any to any的缩写。
src_port, dst_port
4层数据包头中的源/目标端口。端口可以指定为:
+ 1 到 65535之间的整数
+ /etc/services中的合法服务名称
+ 使用列表的一系列端口
+ 一个范围:
o != (不等于)
o (大于)
o = (大于等于)
o > (反转范围)
state
指定状态信息在规则匹配时是否保持。
+ keep state – 对 TCP, UDP, ICMP起作用
+ modulate state – 只对 TCP起作用. PF会为匹配规则的数据包产生强壮的初始化序列号。
+ synproxy state – 代理外来的TCP连接以保护服务器不受TCP SYN FLOODs欺骗。这个选项包含了keep state 和 modulate state 的功能。
# 允许本地网络192.168.0.0/24流量通过dc0接口进入访问openbsd机器的IP地址
#192.168.0.1,同时也允许返回的数据包从dc0接口出去。
pass in on dc0 from 192.168.0.0/24 to 192.168.0.1
pass out on dc0 from 192.168.0.1 to 192.168.0.0/24
# Pass TCP traffic in on fxp0 to the web server running on the
# OpenBSD machine. The interface name, fxp0, is used as the
# destination address so that packets will only match this rule if
# they're destined for the OpenBSD machine.
pass in on fxp0 proto tcp from any to fxp0 port www
状态保持有许多的优点,包括简单的规则集和优良的数据包处理性能。
PF is able to match packets moving in either direction
to state table entries meaning that filter rules which pass returning traffic
don't need to be written. 并且,由于数据包匹配状态连接时不再进行规则集的匹配检测,PF用于处理这些数据包的时间大为减少。
pass out on fxp0 proto { tcp, udp, icmp } from any
to any modulate state
状态保持的另一个优点是ICMP通信流量可以直接通过防火墙。例如,如果一个TCP连接使用了状态保持,当和这个TCP连接相关的ICMP数据包到来时,它会自动找到合适的状态记录,直接通过防火墙。
scrub in on fxp0
.
.
.
pass in on fxp0 proto tcp from any to any port ssh flags S/SA
keep state
TCP SYN 代理
通过,当客户端向服务器初始化一个TCP连接时,PF会在二者直接传递握手数据包。然而,PF具有这样的能力,就是代理握手。使用握手代理,PF自己会和客户端完成握手,初始化和服务器的握手,然后在二者之间传递数据。这样做的优点是在客户端完成握手之前,没有数据包到达服务器。这样就消沉了TCP SYN FLOOD欺骗影响服务器的问题,因为进行欺骗的客户端不会完成握手。
TCP SYN 代理在规则中使用synproxy state关键字打开。例如:
pass in on $ext_if proto tcp from any to $web_server port www
flags S/SA synproxy state
这样, web服务器的连接由PF进行TCP代理。
由于synproxy state工作的方式,它具有keep state 和 modulate state一样的功能。
pass in on $ext_if any os OpenBSD keep state
block in on $ext_if any os "Windows 2000"
block in on $ext_if any os "Linux 2.4 ts"
block in on $ext_if any os unknown
# setup a default deny policy
block in all
block out all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15
to $int_if port ssh flags S/SA
# pass all traffic to and from the local network
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net
# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to { !$ext_if, !$int_if }
port ssh flags S/SA synproxy state
------------------------------------------------------------------------------
$OpenBSD: filter.html,v 1.20 2004/05/07 01:55:23 nick Exp $
==============================================================================
192.168.1.35:2132
内部网络中机器的IP地址 (192.168.1.35),源端口(2132)在地址后显示,这个也是被替换的IP头中的地址。 of the machine on the internal network. The
source port (2132) is shown after the address. This is also the address
that is replaced in the IP header.
24.5.0.5:53136
IP 地址 (24.5.0.5) 和端口 (53136) 是网关上数据包被转换后的地址和端口。
65.42.33.245:22
IP 地址 (65.42.33.245) 和端口 (22) 是内部机器要连接的地址和端口。
TIME_WAIT:TIME_WAIT
这表明PF认为的目前这个TCP连接的状态。
------------------------------------------------------------------------------
$OpenBSD: nat.html,v 1.15 2004/05/07 01:55:23 nick Exp $
==============================================================================
rdr on tl0 proto tcp from 27.146.49.14 to any port 80 ->
192.168.1.20
rdr on tl0 proto tcp from 16.114.4.89 to any port 80 ->
192.168.1.22
rdr on tl0 proto tcp from 24.2.74.178 to any port 80 ->
192.168.1.23
rdr on $int_if proto tcp from $int_net to $ext_if port 80 ->
127.0.0.1 port 5000
RDR 和 NAT 结合
通过对内部接口增加NAT规则,上面说的转换后源地址不变的问题可以解决。
rdr on $int_if proto tcp from $int_net to $ext_if port 80 ->
$server
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to $server port 80 ->
$int_if
block in quick on tl0 inet from 127.0.0.0/8 to any
block in quick on tl0 inet from 192.168.0.0/16 to any
block in quick on tl0 inet from 172.16.0.0/12 to any
block in quick on tl0 inet from 10.0.0.0/8 to any
block out quick on tl0 inet from any to 127.0.0.0/8
block out quick on tl0 inet from any to 192.168.0.0/16
block out quick on tl0 inet from any to 172.16.0.0/12
block out quick on tl0 inet from any to 10.0.0.0/8
看看下面更简单的例子:
block in quick on tl0 inet from { 127.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12, 10.0.0.0/8 } to any
block out quick on tl0 inet from any to { 127.0.0.0/8,
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
这个规则集从8行减少到2行。如果联合使用宏,还会变得更好:
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }"
ExtIF = "tl0"
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
block in quick on tl0 inet from 127.0.0.0/8 to any
block in quick on tl0 inet from 192.168.0.0/16 to any
block in quick on tl0 inet from 172.16.0.0/12 to any
block in quick on tl0 inet from 10.0.0.0/8 to any
block out quick on tl0 inet from any to 10.0.0.0/8
block out quick on tl0 inet from any to 172.16.0.0/12
block out quick on tl0 inet from any to 192.168.0.0/16
block out quick on tl0 inet from any to 127.0.0.0/8
pre = "pass in quick on ep0 inet proto tcp from "
post = "to any port { 80, 6667 } keep state"
# David's classroom
$pre 21.14.24.80 $post
# Nick's home
$pre 24.2.74.79 $post
$pre 24.2.74.178 $post
扩展后:
pass in quick on ep0 inet proto tcp from 21.14.24.80 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 21.14.24.80 to any
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any
port = 6667 keep state
block in on rl0 all
pass in quick log on rl0 proto tcp from any to any port 22 keep state
可以简化为:
block in on rl0
pass in quick log on rl0 proto tcp to port 22 keep state
第一条规则阻塞rl0上从任意到任意的进入数据包,第二条规则允许rl0上端口22的TCP流量通过。
Return 简化
用于阻塞数据包,回应TCP RST或者ICMP不可到达的规则集可以这么写:
block in all
block return-rst in proto tcp all
block return-icmp in proto udp all
block out all
block return-rst out proto tcp all
block return-icmp out proto udp all
set timeout
interval – 丢弃过期的状态和数据包碎片的秒数。
frag – 不能重组的碎片过期的秒数。
例如:
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
set fingerprints /etc/pf.os.test
set state-policy if-bound
------------------------------------------------------------------------------
$OpenBSD: options.html,v 1.8 2004/05/07 01:55:23 nick Exp $
==============================================================================