模板
教程
环境
性能
功能
管理
pf.conf
$ cat /etc/pf.conf
# $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
#ext_if="vr0" # replace with actual external interface name i.e., dc0
ext_if="tun0"
int_if="nv0" # replace with actual internal interface name i.e., dc1
#internal_net="10.1.1.1/8"
#external_addr="192.168.1.1"
# Tables: similar to macros, but more flexible for many addresses.
table <private> const { 10/8, 172.16/12, 192.168/16, 127/8, 255.255.255.255/32 }
table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# Filtering: the implicit first two rules are
#pass in all
#pass out all
block log all
pass quick on lo0 all
pass quick on $int_if keep state
antispoof for lo0
antispoof for { $int_if, $ext_if } inet
block drop in quick on $ext_if from <private> to any
block drop out quick on $ext_if from any to <private>
block return-icmp in log on $ext_if proto udp all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep state
# pass incoming packets destined to the addresses given in table <foo>.
pass in on { $ext_if, $int_if } proto { tcp, udp } from any to <foo> port 80 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
$
----------------------------------------------------------------------------------------------------
pingyuan# pfctl -sa
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
scrub in all fragment reassemble
block drop log all
pass quick on lo0 all
pass quick on nv0 all keep state
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! nv0 inet from 10.0.0.0/8 to any
block drop in inet from 10.0.0.1 to any
block drop in on ! tun0 inet from 211.95.29.0/24 to any
block drop in inet from 211.95.29.16 to any
block drop in quick on tun0 from <private> to any
block drop out quick on tun0 from any to <private>
block return-icmp(port-unr, port-unr) in log on tun0 proto udp all
pass in on tun0 inet proto tcp from any to 211.95.XX.XX port = ssh keep state
pass out on tun0 proto tcp all keep state
pass out on tun0 proto udp all keep state
pass in on tun0 proto tcp from any to <foo> port = http keep state
pass in on tun0 proto udp from any to <foo> port = http keep state
pass in on nv0 proto tcp from any to <foo> port = http keep state
pass in on nv0 proto udp from any to <foo> port = http keep state
STATES:
self udp 211.95.29.16:53298 -> 211.95.1.123:53 MULTIPLE:SINGLE
self udp 211.95.29.16:59463 -> 211.95.1.123:53 SINGLE:NO_TRAFFIC
self udp 211.95.29.16:65484 -> 211.95.1.123:53 MULTIPLE:SINGLE
self udp 211.95.29.16:55278 -> 211.95.1.123:53 MULTIPLE:SINGLE
INFO:
Status: Enabled for 0 days 00:08:24 Debug: Urgent
Hostid: 0x0012f16d
State Table Total Rate
current entries 4
searches 5126 10.2/s
inserts 4 0.0/s
removals 0 0.0/s
Counters
match 5123 10.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 0
frags hard limit 5000
TABLES:
foo
private
OS FINGERPRINTS:
293 fingerprints loaded
