免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 操作系统 BSD PF规则汇集贴
最近访问板块 发新帖
查看: 3964 | 回复: 7
打印 上一主题 下一主题

[OpenBSD] PF规则汇集贴 [复制链接]

linux-fox

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2008-05-11 18:54 |只看该作者 |倒序浏览
各位用OpenBSD和PF的兄弟,请把自己的pf规则贴出来,让我们这些新手参考下,大家互相也有个借鉴!!
啊泰

论坛徽章:
1
2015年辞旧岁徽章 日期:2015-03-03 16:54:15
2 [报告]
发表于 2008-05-11 19:08 |只看该作者
本人垃圾规则 忘高手指教

ext_if="em0"
set block-policy drop
set optimization aggressive
set loginterface $ext_if
set require-order yes
set limit { states 180000, frags 150000 src-nodes 10000 }
set fingerprints "/etc/pf.os"

scrub in all
block all
pass out all
pass quick on lo0
antispoof quick for $ext_if inet
block in on $ext_if from any to any
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
table <spammers> persist file "/etc/spammers"
block in on $ext_if from <spammers> to any
#pass quick on  $ext_if all
pass in quick on $ext_if proto tcp from any to any port 6809 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to any port 6808 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to any port 250 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to any port 2593 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state
#pass in quick on $ext_if proto tcp from any to any port 14534 flags S/SA keep state
#pass in on $ext_if proto tcp from any to $ext_if port >50000 flags S/SA keep state
#pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 8767 keep state
pass in quick on $ext_if proto udp from any to any port 8768 keep state
pass in quick on $ext_if proto udp from any to any port 8769 keep state
table <abusive_hosts> persist
pass in on $ext_if proto tcp from <abusive_hosts> to $ext_if port 80 flags S/SA keep state \
(max-src-conn 5, max-src-states 1)
pass in on $ext_if proto tcp to $ext_if port 80 flags S/SA keep state \
(source-track rule, max-src-conn-rate 30/15, overload <abusive_hosts> flush global)
#pass out on $ext_if proto tcp all modulate state flags S/SA
#pass out on $ext_if proto { udp, icmp } all keep state
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
sunwaylove

论坛徽章:
0
3 [报告]
发表于 2008-05-12 17:38 |只看该作者
2楼的很乱,我貌丑贴随便粘一个测试的,自己改改


# ******************************************** #
#             Edit By Sunwaylove                                              #
#             Support:010-85XXXXX                                #
#             Mail:sunwaylove@163.com                                #
# ******************************************** #

# ********* Start Configure******************* #
ext_if="em1"
int_if="em0"
ext_http="192.168.251.1"
http_hosts="{ 10.1.237.98, 10.1.237.95 }"
table <testhost> { 10.1.237.0/24 }
table <localhost> { 10.1.0.0/16 }

set skip on lo
scrub in all

# ********** NAT Configure ******************* #
#nat on $int_if from <testhost> to any -> $ext_if
#rdr on $ext_if proto tcp from any to $ext_http port 80 -> $http_hosts port 80
#rdr-anchor "relayd/*"

# ********** PF  Configure ******************* #
# ***** Deny all *****
block in all
block out all

# ***** Default Allow *****
pass quick on lo0 all
antispoof quick for { lo, $int_if }
pass in on $ext_if inet proto 47 all
pass in on $ext_if inet proto udp from any to any port 500
pass in on $ext_if inet proto tcp from any to any port 22 flags S/SA keep state
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto 47 all
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# ***** Allow localhost to pass *****
pass in on $int_if inet from <localhost> to any
pass out on $int_if inet from any to <localhost>

# ***** Allow sunwaylove to pass *****
pass in quick on $int_if inet proto tcp from 10.1.22.123 to any
pass in quick on $int_if inet proto tcp from 10.1.2.138 to any
pass out quick on $int_if inet proto tcp from 10.1.22.123 to any
pass out quick on $int_if inet proto tcp from 10.1.2.138 to any
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
sunwaylove

论坛徽章:
0
4 [报告]
发表于 2008-05-12 17:45 |只看该作者
顺便说一句,新手请先看精华区,理解Pf的每个段的具体意思,再来提问题。这里和linux区不太一样,请尊重版主、法王们的努力,加强自我学习BSD能力。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
bleai

论坛徽章:
0
5 [报告]
发表于 2008-05-12 17:49 |只看该作者

新手收藏下
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
wosl2001

论坛徽章:
0
6 [报告]
发表于 2008-05-13 17:04 |只看该作者
用pfw!!!
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
congli

论坛徽章:
1
寅虎 日期:2013-09-29 23:15:15
7 [报告]
发表于 2008-05-13 17:17 |只看该作者
# ***** Allow sunwaylove to pass *****
pass in quick on $int_if inet proto tcp from 10.1.22.123 to any
pass in quick on $int_if inet proto tcp from 10.1.2.138 to any
pass out quick on $int_if inet proto tcp from 10.1.22.123 to any
pass out quick on $int_if inet proto tcp from 10.1.2.138 to any

这4行,有2行是有问题的,呵~
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
sunwaylove

论坛徽章:
0
8 [报告]
发表于 2008-05-13 17:31 |只看该作者
呵呵,没错,的确是写错了(不过应该没事) ,眼睛很尖啊,这个是我的草稿,最后2行正确应该是

pass out quick on $int_if inet proto tcp from any to 10.1.22.123
pass out quick on $int_if inet proto tcp from any to 10.1.2.138
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP