lo_if="lo0"
icmp_types="echoreq"//允许PING
table {$lan_if,$wan_if}

table {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} //私有地址，防止IP欺骗
table {10.129.29.201, 10.129.29.202, 10.129.29.203}//吧台，只允许访问办公网
table //临时屏蔽地址，配合portsentry使用防止恶意扫描
table file "/etc/chinanet"//电信IP段，做缓存

# 网络参数选项，根据自己情况设.
set timeout {interval 3,frag 5}
set timeout {tcp.first 20,tcp.opening 10,tcp.established 600}
set timeout {tcp.closing 10,tcp.finwait 10,tcp.closed 10}
set timeout {udp.first 10,udp.single 10,udp.multiple 60}
set timeout {icmp.first 5,icmp.error 5}
set timeout {other.first 10,other.single 10,other.multiple 30}
set timeout {adaptive.start 0,adaptive.end 0}
set limit {src-nodes 40000,states 40000,frags 10000}
set loginterface $wan_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on $lo_if
# scrub
scrub in all

# set altq
# set altq
altq on $wan_if bandwidth 200Mb cbq queue {other, ssh, ping}
queue ping bandwidth 100Kb priority 1
queue other bandwidth 80% priority 3 cbq(default,red)
queue ssh bandwidth 10% priority 7 cbq(ecn,borrow)

altq on $lan_if bandwidth 160Mb cbq qlimit 200 queue {lanq}
queue lanq bandwidth 90% priority 5 cbq(default,red)

# nat
rdr on {$lan_if} proto tcp from to any -> *.*.*.* port 8080//*.*.*.*为办公网地址
no nat on $lan_if from to any
rdr on {$lan_if} proto tcp from $lan_if:network to port 80 -> $lo_if port 8080
rdr on {$wan_if} proto tcp from any to $wan_if port {22,23,3389} -> $lo_if port 3389
rdr on {$wan_if,$lan_if} proto tcp from any to $wan_if port 2222 -> $lo_if port 22
nat on $wan_if from $lan_if:network to any -> ($wan_if)

# default block
block all
pass out quick all keep state
pass quick on lo0 all keep state
block in quick from to any
antispoof quick for {$wan_if,$lan_if}

# rules
block in quick on $wan_if from to any
block out quick on $wan_if from any to

pass in quick on $lan_if  from $lan_if:network to ! keep state

pass in log quick proto tcp from any to $lo_if port 8080 flags S/SA synproxy state (source-track rule, max-src-nodes 800, max-src-states 60, tcp.established 60, tcp.closing 5) queue ssh

pass in log quick proto tcp from any to $lo_if port 22 flags S/SA synproxy state (max 10, source-track rule, max-src-nodes 5, max-src-states 3, tcp.established 300, tcp.closing 5) queue ssh

pass in quick inet proto icmp from any to  icmp-type $icmp_types keep state queue ping
pass in log quick proto tcp from any to $lo_if port 3389 flags S/SA synproxy state (max 5, source-track rule, max-src-nodes 5, max-src-states 1, tcp.established 3, tcp.closing 1) queue ping

系统配置:AMD2800+,512M内存，TP-Link3269。ARP双向绑定，带机600台，已经运行半年了。

文件: pf.tar.gz 大小: 1KB 下载: 下载