pf.conf配置
这是一些Packet Filter(PF)防火墙的配置模板。
本文内容适用于OpenBSD 4.1和FreeBSD 7.0及后续版本。
参考:PF: The OpenBSD Packet Filter
1 pf.conf系列模板
对照Iptables,这里也提供一系列的pf.conf配置模板,以适应不同的需要。根据具体环境选择模板,再按实际情况进行更改调整。目前有这么些模板:
- pf.conf-client.ref,客户机模板
- pf.conf-gate-novpn.ref,网关模板(不含vpn)
- pf.conf-server.ref,服务器模板
各个模板的详细说明见后。
2 模板说明
2.1 pf.conf-client.ref
# 对于本地loopback接口不做限制:
set skip on lo
# 处理分片等不规则包:
scrub in
# 阻塞假冒地址攻击(将vic0改成实际的接口名称):
antispoof quick for { lo vic0 }
# 缺省策略设置为阻止一切数据:
block all
# 作为客户机,允许访问任何地方:
pass out
# 缺省允许的服务:
# ping
pass in inet proto icmp icmp-type echoreq
# ssh
pass in proto tcp to port ssh
# ftp-port(如果ftp客户端不使用主动模式,可取消该规则)
pass in proto tcp from port ftp-data
2.2 pf.conf-gate-novpn.ref
# 按照4接口的规格进行设计:内网、外网、dmz和管理接口。
# 定义一些宏和表(接口名称、IP地址根据实际情况调整):
int_if="vic0"
ext_if="vic1"
dmz_if="vic2"
#mng_if="vic3"
int_net=$int_if:network
dmz_net=$dmz_if:network
#mng_net=$mng_if:network
#dmz_web_server="10.10.20.20"
#dmz_ftp_server="10.10.20.20"
# tables:
table <firewall> const { self }
table <lan_net> const { self, $int_net, $dmz_net }
#table <lan_net> const { self, $int_net, $dmz_net, $mng_net }
# 对于本地loopback接口不做限制:
set skip on lo
# 处理分片等不规则包:
scrub in
# NAT部分规则(缺省禁止):
# 打开外网接口的nat,这里同时打开pass以跳过nat后还要进行的包过滤检查:
#nat pass on $ext_if -> ($ext_if:0)
# 一般写法是:"nat pass on $ext_if from !($ext_if) -> ($ext_if:0)",
# 这里调整的目的是为了让代理内网到外网ftp的ftp-proxy也可以直接pass。
# ftp-proxy配置,包括内网到外网,内网到dmz:
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
# in --> out.ftp
#rdr pass on $int_if proto tcp to !<lan_net> port ftp -> 127.0.0.1 port 8021
# in --> dmz.ftp
#rdr pass on $int_if proto tcp to $dmz_net port ftp -> 127.0.0.1 port 8021
# 外网访问dmz的重定向,此时的ftp通过ftp-proxy进行,不需要rdr:
# dmz <-- out
# https(s)
#rdr on $ext_if proto tcp to $ext_if port www -> $dmz_web_server
#rdr on $ext_if proto tcp to $ext_if port https -> $dmz_web_server
# ftp (see filter section)
# FILTER部分规则:
# ftp-proxy配置:
#anchor "ftp-proxy/*"
# 阻塞假冒地址攻击:
antispoof quick for { lo $int_if $dmz_if }
#antispoof quick for { lo $int_if $dmz_if $mng_if }
# 缺省策略设置为阻止一切数据:
block all
# enable I access anywhere(disabled!!!)
#pass out from <firewall> to any
# 允许在内网接口和管理接口通过ssh连接网关:
pass in quick on $int_if proto tcp to <firewall> port ssh
#pass in quick on $mng_if proto tcp to <firewall> port ssh
# 允许本地网络的机器ping网关:
pass in quick on $int_if inet proto icmp to <firewall> icmp-type echoreq
pass in quick on $dmz_if inet proto icmp to <firewall> icmp-type echoreq
#pass in quick on $mng_if inet proto icmp to <firewall> icmp-type echoreq
# 提供内网用户的dns查询服务:
#pass in quick on $int_if proto udp to $int_if port domain
# 内网对外网的访问规则:
# (外出接口的规则由nat pass解决,ftp规则也在nat部分实现)
# ping
#pass in quick on $int_if inet proto icmp to !<lan_net> icmp-type echoreq
# http(s)
#pass in quick on $int_if proto tcp to !<lan_net> port www
#pass in quick on $int_if proto tcp to !<lan_net> port https
# ftp (see nat section)
# 内网对dmz的访问规则:
# (需要指定外出接口的规则,包括ftp)
# ping
#pass in quick on $int_if inet proto icmp to $dmz_net icmp-type echoreq
#pass out quick on $dmz_if inet proto icmp from $int_net icmp-type echoreq
# http(s)
#pass in quick on $int_if proto tcp to $dmz_net port www
#pass out quick on $dmz_if proto tcp from $int_net to port www
#pass in quick on $int_if proto tcp to $dmz_net port https
#pass out quick on $dmz_if proto tcp from $int_net to port https
# ftp (see nat section and below)
#pass out quick on $dmz_if proto tcp from $dmz_if to port ftp
# 外网对dmz网络的访问规则:
# (使用synproxy加强安全性)
# http(s)
#pass in quick on $ext_if proto tcp to $dmz_web_server port www synproxy state
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port www
#pass in quick on $ext_if proto tcp to $dmz_web_server port https synproxy state
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port https
# ftp
#pass in quick on $ext_if proto tcp to $ext_if port ftp
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_ftp_server port ftp user proxy
2.3 pf.conf-server.ref
# 对于本地loopback接口不做限制:
set skip on lo
# 处理分片等不规则包:
scrub in
# 阻塞假冒地址攻击(将vic0改成实际的接口名称):
antispoof quick for { lo vic0 }
# 缺省策略设置为阻止一切数据:
block all
# 打开的服务(其中ftp同时支持主动和被动模式):
# ping
#pass in inet proto icmp icmp-type echoreq
# ssh
#pass in proto tcp to port ssh
# http(s)
#pass in proto tcp to port www
#pass in proto tcp to port https
# ftp
#pass in proto tcp to port ftp
#pass in proto tcp to port > 49151
#pass out proto tcp from port ftp-data