- 论坛徽章:
- 0
|
大伙来看看我的PF规则是否合理?
1,顺序是否得当?
2,quick的用法不知是否合理?
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="em0"
int_if="em1"
lan_net="192.168.0.0/24"
loop="lo0"
icmp_types = "echoreq"
# 不被路由的地址
noroute="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,255.255.255.255/32}"
# 将被打开的端口
tcp_services="{22}"
#设定拒绝联机封包的处理方式
set block-policy return
# 快速断开非活动状态的连接 - 减少内存消耗
set optimization aggressive
# DSL连接的统计数据(pfctl -s info)
set loginterface $ext_if
# IP碎片重组
scrub in all
# 激活NAT
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $lan_net to any -> ($ext_if)
rdr pass on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
# 先是总的原则:挡住所有进出的数据包
block all
# 允許 localhost 封包通行
pass quick on lo0 all
# 不需要 IPv6.0
block in quick inet6 all
block out quick inet6 all
block in quick proto tcp from any os "Linux" to any port ssh
# 防止IP欺骗
block drop in quick on $ext_if from $noroute to any
block drop in quick on $ext_if from any to $noroute
# 对外界开放的端口
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
#开放内部网络对外联机
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
#开放对外网络的联机
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state |
|
免费注册
发表于 2006-12-28 21:15
