PF_sleets 畅龙

查看文章

2007-08-18 17:14

device pf
device pflog
device pfsync

options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG

#######################################

man pf.conf
pfctl -f pf.conf 应用pf.conf的规则

pfctl -sr 　查看访问规则
pfctl -sn　查看NAT规则
pfctl -sa　查看所有PF信息
pfctl -Rf pf.conf　重新加载访问规则
pfctl -Nf pf.conf　重新加载NAT规则
pfctl -Fa -f pf.conf　重新加载所有规则
######################################
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
#######################################
包过滤是在数据包通过网络接口时进行选择性的运行通过或者阻塞。Pf（4）检查包时使用的标准是基于的3层（IPV4或者IPV6）和4层（TCP, UDP, ICMP, ICMPv6）包头。最常用的标准是源和目的地址，源和目的端口，以及协议。

过滤规则集指定了数据包必须匹配的标准和规则集作用后的结果，在规则集匹配时通过或者阻塞。规则集由开始到结束顺序执行。除非数据包匹配的规则包含 quick关键字，否则数据包在最终执行动作前会通过所有的规则检验。最后匹配的规则具有决定性，决定了数据包最终的执行结果。存在一条潜在的规则是如果数据包和规则集中的所有规则都不匹配，则它会被通过。
action direction [log] [quick] on interface [af] [proto protocol] \
from src_addr [port src_port] to dst_addr [port dst_port] \
[tcp_flags] [state]

类别：Os | 添加到搜藏 | 浏览() | 评论 (5)

最近读者：

网友评论：

2007-08-18 20:09

## macros
ext_if = "fxp0"
web_server = "192.168.1.7"
#table <rfc1918> const { 192.168.0.0/16,!192.168.1.2/32 ,172.16.0.0/12,10.0.0.0/8 }

## down inactive connection quickly
set optimization aggressive

## scrub incoming packets
scrub in all

antispoof quick for $ext_if inet

block all
pass quick on lo all

pass out on $ext_if from $ext_if to any keep state
pass in on $ext_if proto tcp from any to $web_server port 19 >< 23 flags S/SA keep state
# keep state or synproxy state
pass in on $ext_if proto tcp from any to $web_server port www flags S/SA keep state
pass in on $ext_if proto tcp from any to $web_server port 9000><9999 flags S/SA keep state

2007-08-19 20:26

ident PFOK
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
options PANIC_REBOOT_WAIT_TIME=0
options DEVICE_POLLING
options HZ=2000
options IPSTEALTH
# options RANDOM_IP_ID
options TCP_DROP_SYNFIN

2007-08-19 21:59

ext_if = "fxp0"
web_server = "192.168.1.7"
table <rfc1918> const { 192.168.0.0/16,!192.168.1.2/29 ,172.16.0.0/12,10.0.0.0/8 }
oports = "{ 19><23 , 9000><9999}"
set optimization aggressive
scrub in all

antispoof quick for $ext_if inet

block all
block quick on $ext_if from <rfc1918> to any
pass quick on lo all

table <ddos> persist
block in quick from <ddos>

pass out on $ext_if from $ext_if to any keep state

pass in on $ext_if proto tcp to $web_server port 22 flags S/SA keep state (max 80, source-track rule, max-src-nodes 40, max-src-states 3, max-src-conn-rate 2/1, overload <ddos> flush)
pass in on $ext_if proto tcp to $web_server port www flags S/SA keep state (max 2000, source-track rule, max-src-nodes 1000, max-src-states 10, max-src-conn-rate 15/3, overload <ddos> flush)

# keep state or synproxy state

2007-08-20 18:33

f_isp1="fxp0"
if_isp2="ne3"
gw_isp1="192.168.0.1"
gw_isp2="192.168.1.10"

block all

pass quick on lo0 all

pass in quick on $if_isp1 reply-to ( $if_isp1 $gw_isp1 ) proto {tcp,udp,icmp} to any keep state
pass in quick on $if_isp2 reply-to ( $if_isp2 $gw_isp2 ) proto {tcp,udp,icmp} to any keep state

pass out keep state

2007-08-24 22:16

rdr on $ext_if proto tcp from any to $ext_if port 80 -> $web port 80

pass in on $ext_if proto tcp from any to $web port 80 flags S/SA synproxy state

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	看不清?