## down inactive connection quickly set optimization aggressive
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all
nat on $ext_if from $int_net to any -> ($ext_if) #nat on $ext_if from $int_net to $ext_net -> ($ext_if)
#web server map #rdr pass on $ext_if proto tcp from any to $ext_if port {www,3389,4899,7745} -> $web_server
#----------------------------以下防DOS攻击-------------------------------- #每个IP最大可以有120个非并发的连接(为局域网用户访问本站考虑) #每个IP最大连接建立的速率小于每秒8个 #单个IP的最大持续连接数 30 #违反以上规则,把这个ip添加到表中 table persist #维持一个持续的表 block in quick from #阻止表中的ip pass in on $int_if inet proto tcp from any to $int_if flags S/SA keep state \ (source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 30,overload flush, src.track 1)
LSassVirusPort = "{445, 135, 139, 593, 512, 5554, 9996, 9995}" block quick on $int_if inet proto tcp from any to any port $LSassVirusPort
BitTorrentPort= "{ 512, 2049, 4662, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889, \ 6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}" block quick on $int_if inet proto tcp from any to any port $BitTorrentPort block quick on $int_if inet proto tcp from any port $BitTorrentPort to any block quick on $ext_if inet proto tcp from any to any port $BitTorrentPort block quick on $ext_if inet proto tcp from any port $BitTorrentPort to any
#gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }" #GameDenyClients ="{192.168.128.0/24, 192.168.132.0/24}" #GameServerIps = "{204.251.15.167, 61.152.93.145}" #block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts #block quick on $ext_if from $GameServerIps to $GameDenyClients #block quick on $int_if from $GameDenyClients to $GameServerIps
denyserverips = "{202.108.193.21}" block quick on $int_if from any to $denyserverips
#LSassVirusIp ="{192.168.1.194}" #block quick on $int_if from $LSassVirusIp to any
