- 论坛徽章:
- 0
|
请看pf.conf:
ext_if0="tun0"
int_if="fxp3"
lan_net="192.168.123.0/24"
table <work_ip> {192.168.123.0/24}
#table <lan_ip> persist file "/etc/pf_rules/lan.ip"
deny_ports="{135, 137, 138, 139, 445, 593, 4444, 6881><6889, 6969}"
deny_address="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types="echoreq"
udp_services="{53}"
video_ports="{554, 1755, 8080}"
http_ports="{80, 443}"
boss_net="{ 192.168.123.3, 192.168.123.4 }"
my_net="192.168.123.5"
set block-policy return
set optimization aggressive
set loginterface $ext_if0
scrub in on $ext_if0 all fragment reassemble
altq on $int_if cbq bandwidth 1024Kb queue {hi_in,low_in,my_in}
queue hi_in on $int_if bandwidth 700Kb cbq(default)
queue low_in on $int_if bandwidth 124Kb cbq(red)
queue my_in on $int_if bandwidth 200Kb cbq(red)
#altq on $ext_if0 cbq bandwidth 100% queue { std_out, http_out, ssh_out, dns_out, video_out }
# queue std_out bandwidth 25% cbq(default)
# queue http_out bandwidth 40% priority 3 cbq(red borrow)
# queue ssh_out bandwidth 10% priority 4
# queue dns_out bandwidth 5% priority 5
# queue video_out bandwidth 20% priority 6 cbq(red borrow)
altq on $ext_if0 cbq bandwidth 100% queue { hi_out, low_out }
queue hi_out bandwidth 70% cbq(default)
queue low_out bandwidth 30% cbq(red)
nat on $ext_if0 from $lan_net to any -> ($ext_if0)
block all
block quick inet6 all
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
pass quick on lo0 all
antispoof quick for { $int_if $ext_if0 } inet
block in quick on $ext_if0 os NMAP
block in quick on $ext_if0 inet from $deny_address to ($ext_if0)
block out quick on $ext_if0 inet from ($ext_if0) to $deny_address
block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if0 proto {tcp, udp} from any to ($ext_if0) port $deny_ports flags S/SA
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state
# filter rules for inbounds
pass in on $ext_if0 inet proto tcp from any to ($ext_if0) port ssh flags S/SA keep state
pass in on $ext_if0 inet proto tcp from port 20 to ($ext_if0) user proxy flags S/SA keep state
# filter rules for out bounds
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any flags S/SA keep state queue std_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port ssh flags S/SA keep state queue ssh_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $video_ports flags S/SA keep state queue video_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $http_ports flags S/SA keep state queue http_out
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any port domain keep state queue dns_out
pass out on $ext_if0 inet keep state
pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
pass out on $ext_if0 inet from 192.168.123.5 to any keep state queue loW_out
# filter rules for lan
pass in on $int_if inet from <work_ip> to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue low_in
pass in on $int_if inet from $boss_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue hi_in
pass in on $int_if inet from $my_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue my_in
现在可以
block in quick on $ext_if0 os NMAP
block in quick on $ext_if0 inet from $deny_address to ($ext_if0)
block out quick on $ext_if0 inet from ($ext_if0) to $deny_address
block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if0 proto {tcp, udp} from any to ($ext_if0) port $deny_ports flags S/SA
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state
# filter rules for inbounds
pass in on $ext_if0 inet proto tcp from any to ($ext_if0) port ssh flags S/SA keep state
pass in on $ext_if0 inet proto tcp from port 20 to ($ext_if0) user proxy flags S/SA keep state
# filter rules for out bounds
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any flags S/SA keep state queue std_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port ssh flags S/SA keep state queue ssh_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $video_ports flags S/SA keep state queue video_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $http_ports flags S/SA keep state queue http_out
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any port domain keep state queue dns_out
pass out on $ext_if0 inet keep state
pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
pass out on $ext_if0 inet from 192.168.123.5 to any keep state queue loW_out
# filter rules for lan
pass in on $int_if inet from <work_ip> to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue low_in
pass in on $int_if inet from $boss_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue hi_in
pass in on $int_if inet from $my_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue my_in
现在可以限制指定的工作站下载和连接数了,但是限制指定的工作站上传就是搞不好啊!
这条规则:pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
还是这样写pass out on $ext_if0 inet from any to 192.168.123.3 keep state queue hi_out
都不行啊! |
|