- 论坛徽章:
- 0
|
现在用的是:
ext_if="fxp0" # replace with actual external interface name i.e., dc0
int_if="nve0" # replace with actual internal interface name i.e., dc1
loop = "lo0"
noroute = "{ 192.168.0.0/16 }"
ports = "{ 20, 21, 22, 25,53,80, 110,143 }"
private_nets = "{ 192.168.0.0/24 }"
table <block_domains> file "/etc/block_domains"
icmp_type = "echoreq"
set block-policy drop
set loginterface $ext_if
set timeout src.track 60
scrub in all
nat on $ext_if from $int_if:network to any -> $ext_if
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
antispoof quick for $ext_if inet
block all
pass quick on lo0 all
block out on $ext_if from any to <block_domains>
block drop in quick on $ext_if from $private_nets to any
block drop out quick on $ext_if from any to $private_nets
pass in on $ext_if inet proto tcp from any to $ext_if port $ports flags S/SA keep state
pass in inet proto icmp icmp-type $icmp_type keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
在<block_domains>添加了要屏蔽的IP但是不起作用,总有一些IP在扫我web服务器的一些文件。 |
|
免费注册
发表于 2007-01-21 22:40
发表于 2007-01-21 22:46
