- 论坛徽章:
- 2
|
- # vi /etc/pf.conf
- #pass out log on egress proto tcp to any port smtp
- #block in quick from urpf-failed to any # use with care
- # By default, do not permit remote connections to X11
- block in on ! lo0 proto tcp to port 6000:6010
- ext_if="tun0"
- int_if="re1"
- internal_net="192.168.1.0/24"
- # for NAT
- pass out on re0 from 192.168.1.0/24 to any nat-to 10.10.12.100
- pass out on re0 from re1:network to any nat-to re0
- # for firewall
- block in all
- block out all
- pass quick on lo0 all
- pass out on $ext_if proto tcp all modulate state flags S/SA
- pass out on $ext_if proto { udp,icmp } all keep state
- pass in on $int_if from $internal_net to any
- pass out on $int_if from any to $internal_net
- # cat /etc/sysctl.conf
- # $OpenBSD: sysctl.conf,v 1.53 2012/05/31 15:04:03 sthen Exp $
- #
- # This file contains a list of sysctl options the user wants set at
- # boot time. See sysctl(3) and sysctl(8) for more information on
- # the many available variables.
- #
- net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
- #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
- #net.inet.ip.multipath=1 # 1=Enable IP multipath routing
- #net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
- #net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
- net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
- #net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
- #net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
- #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
- #net.inet.tcp.always_keepalive=1 # 1=Keepalives for all connections (e.g. hotel/airport NAT)
- #net.inet.tcp.keepidle=100 # 100=send TCP keepalives every 50 seconds
- #net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for if tcp is slow)
- #net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window increasing
- #net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
- #net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
- #net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
- #net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
- #net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
- #net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
- #net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
- #net.inet.carp.log=3 # log level of carp(4) info, default 2
- #ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
- #ddb.console=1 # 1=Permit entry of ddb from the console
- #fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
- #vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
- #vfs.nfs.iothreads=4 # Number of nfsio kernel threads
- #net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
- #kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
- #kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
- #kern.splassert=2 # 2=Enable with verbose error messages
- #kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
- #kern.watchdog.period=32 # >0=Enable hardware watchdog(4) timer if available
- #kern.watchdog.auto=0 # 0=Disable automatic watchdog(4) retriggering
- #kern.pool_debug=0 # 0=Disable pool corruption checks (faster)
- #hw.allowpowerdown=0 # 0=Disable power button shutdown
- machdep.allowaperture=2 # See xf86(4)
- #machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
- #machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
- #machdep.lidsuspend=1 # laptop lid closes cause a suspend
- #machdep.userldt=1 # allow userland programs to play with ldt,
- # required by some ports
- #kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
- #kern.emul.linux=1 # enable running Linux binaries
- #
复制代码 |
|