PF(firewall) 的設置
- 詳細內容
- 分類: BSD
- 發佈: 2006-05-28, 週日 15:17
- 作者 Super User
- 點擊數: 18097
vi /etc/rc.conf
pf_enable="YES"
cp -rp /etc/pf.conf /etc/pf.conf.bak
vi /etc/pf.conf
ext_if="vr0"
tcp_services="{ 25, 80, 110, 995, 22 }"
tcp_udp_services="{ 53 }"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Filtering:
block all
block return-rst out proto tcp all
block return-icmp out proto udp all
#block in quick on $ext_if inet proto tcp from 222.95.9.148 to $ext_if
block in quick on $ext_if inet proto tcp from any to $ext_if flags FUP/FUP
block in quick on $ext_if inet proto tcp from any to $ext_if flags SF/SFRA
block in quick on $ext_if inet proto tcp from any to $ext_if flags /SFRA
pass quick on lo0 all
pass out on $ext_if proto { tcp, udp } all keep state
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $ext_if port $tcp_udp_services flags S/SA keep state