Package Filter (1)

ypingyuan

Package Filter
1， 打开转发功能, 编辑/etc/sysctl.conf, 将net.inet.ip.forwarding=1前面的注释符号 # 去掉。
2， 编辑/etc/rc.conf， 打开PF， pf=YES。
3， 编辑/etc/pf.conf， 设置规则链。我的pf.conf规则链还没设置好， 这里就先贴我现在写的pf.conf， 私网中的机器已可以上网了。
Gate-OpenBSD# cat pf.conf
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="ne3"
int_if="dc0"
tcp_services="{21, 22, 53, 67, 68, 80, 113, 443}"
udp_services="{22, 53, 68}"
icmp_types="echoreq"
lan_net="192.168.1.0/24"
scrub in all
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
block log all
pass quick on lo0 all
antispoof for { lo $int_if $ext_if } inet
pass in on $ext_if inet proto tcp from any to $ext_if port ssh flags S/SA keep state
pass in on $int_if inet proto tcp from $lan_net to $int_if port ssh flags S/SA keep state
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net
pass out on $ext_if proto tcp from any to any port $tcp_services keep state
pass out on $ext_if proto udp from any to any port $udp_services keep state
pass in on $int_if proto tcp from any to any port $tcp_services keep state
pass in on $int_if proto udp from any to any port $udp_services keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/5624/showart_18720.html