Chinaunix首页 | 论坛 | 博客
  • 博客访问: 667611
  • 博文数量: 235
  • 博客积分: 4309
  • 博客等级: 中校
  • 技术积分: 2325
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-17 11:25
个人简介

If you don\\\\\\\\\\\\\\\'t wanna do it, you find an EXCUSE; if you do, you\\\\\\\\\\\\\\\'ll find a WAY :-)

文章分类

全部博文(235)

文章存档

2014年(3)

2013年(2)

2012年(31)

2011年(199)

分类: BSD

2012-05-26 12:02:40


  1. # cat /etc/pf.conf
  2. #1. Macros
  3. #2. Tables
  4. #3. Options
  5. #4. Packet normalization
  6. #5. Bandwidth management
  7. #6. Translation
  8. #7. Redirection
  9. #8. Packet filtering

  10. # echo 'pf_enable="YES"' >> /etc/rc.conf
  11. # echo 'pflog_enable="YES"' >> /etc/rc.conf

  12. # pfctl -nf /etc/pf.conf    (Syntax checking but not load the rule)
  13. # pfctl -ef /etc/pf.conf    (To enable PF and load the rule set)
  14. # pfctl -f /etc/pf.conf        (Load the rule set)
  15. # pfctl -sr
  16. # pfctl -s info
  17. # pfctl -Fa    (-F all)
  18. # pfctl -e    (/etc/rc.d/pf start)
  19. # pfctl -d    (/etc/rc.d/pf stop)

  20. # Conventions Below
  21. # int=internet    if=interface net=network
  22. #

  23. # === macros BEGIN ===
  24. int_if="alc0"
  25. net_local="192.168.1.0/24"
  26. icmp_types="echoreq"
  27. tcp_services="{ 22 }"
  28. # === macros END ===

  29. # === options BEGIN ===
  30. set skip on lo0
  31. # === options END ===

  32. # === filter rules BEGIN ===
  33. scrub in all
  34. block in on $int_if
  35. antispoof quick for { lo $int_if }
  36. # use "block return" so that a TCP RST is sent to close blocked connections right away.return - a TCP RST packet is returned for blocked TCP packets and an ICMP Unreachable packet is returned for all others.
  37. block return in on $int_if proto { tcp, udp} from ! $net_local to $int_if port 113
  38. # allow SSH traffic from local network
  39. pass in on $int_if proto tcp from $net_local to $int_if port 22
  40. # allow outgoing traffic
  41. pass out on $int_if proto { tcp, udp } all
  42. # allow icmp from local network
  43. pass out on $int_if inet proto icmp all icmp-type $icmp_types

  44. # === filter rules END ===

  45. # === About port 113 BEGIN ===
  46. #The IDENT (AUTH) protocol is often necessary for the smooth performance and functioning of certain services such as mail, POP3, ftp, and IRC. Dropping IDENT packets on the firewall may result in failure of these services. This occurs when a IDENT request is made on TCP port 113 and IDENT is dropped. The server will wait for a SYN/ACK reply to the TCP 113 connection request until it times out. IDENT is a security concern so IDENT requests should normally not be answered, and yet they cannot be dropped if service is to function properly.

  47. #The proper way to handle IDENT request is to create a REJECT rule instead of dropping IDENT requests at the firewall. This way the firewall will return a RESET/ACK back to the requesting server.
  48. # === About port 113 END ===

阅读(1502) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~