- 论坛徽章:
- 0
|
你这个规则没写对, 怎么能限制!
我这个规则一般般, 用的还可以, 你参考参考:
cat pf.conf
ext_if="tun0"
int_if="rl1"
deny_ports="{135, 137, 138, 139, 445, 593, 4444, 6881><6889, 6969}"
deny_address="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types="echoreq"
udp_services="{53}"
video_ports="{554, 1755, 8080}"
http_ports="{80, 443}"
set block-policy return
set optimization aggressive
set loginterface $ext_if
scrub in all
altq on $ext_if cbq bandwidth 512Kb queue { std_out, http_out, ssh_out, dns_out, video_out }
queue std_out bandwidth 25% cbq(default)
queue http_out bandwidth 40% priority 3 cbq(red borrow)
queue ssh_out bandwidth 10% priority 4
queue dns_out bandwidth 5% priority 5
queue video_out bandwidth 20% priority 6 cbq(red borrow)
altq on $int_if cbq bandwidth 100% queue { std_in, http_in, ssh_in, dns_in }
queue std_in bandwidth 40% cbq(default)
queue http_in bandwidth 40% priority 3 cbq(borrow)
queue ssh_in bandwidth 10% priority 4 cbq(borrow)
queue dns_in bandwidth 10% priority 5
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
block quick inet6 all
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
pass quick on lo0 all
antispoof quick for { $int_if $ext_if } inet
block in quick on $ext_if os NMAP
block in quick on $ext_if inet from $deny_address to ($ext_if)
block out quick on $ext_if inet from ($ext_if) to $deny_address
block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port $deny_ports flags S/SA
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state
# filter rules for inbounds
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state
上一条规则用于ftp传输
# filter rules for out bounds
pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to any flags S/SA keep state queue std_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port ssh flags S/SA keep state queue ssh_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $video_ports flags S/SA keep state queue video_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $http_ports flags S/SA keep state queue http_out
pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to any port domain keep state queue dns_out
# filter rules for lan
# pass in on $int_if inet proto tcp from $int_if:network to any port $tcp_services keep state
pass in on $int_if inet proto tcp from $int_if:network to any keep state
pass in on $int_if inet proto udp from $int_if:network to any port $udp_services keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $int_if inet proto tcp from any to $int_if:network port ssh keep state queue ssh_in
pass out on $int_if inet proto tcp from any to $int_if:network port http keep state queue http_in
pass out on $int_if inet proto {tcp, udp} from any to $int_if:network port domain keep state queue dns_in
[ 本帖最后由 rainren 于 2005-12-26 08:13 编辑 ] |
|