pf.conf配置
这是一些Packet Filter(PF)防火墙的配置模板。
本文内容适用于OpenBSD 4.1和FreeBSD 7.0及后续版本。
参考:PF: The OpenBSD Packet Filter
1 pf.conf系列模板
对照Iptables,这里也提供一系列的pf.conf配置模板,以适应不同的需要。根据具体环境选择模板,再按实际情况进行更改调整。目前有这么些模板:
- pf.conf-client.ref,客户机模板
- pf.conf-gate-novpn.ref,网关模板(不含vpn)
- pf.conf-server.ref,服务器模板
各个模板的详细说明见后。
2 模板说明
2.1 pf.conf-client.ref
# 对于本地loopback接口不做限制: set skip on lo # 处理分片等不规则包: scrub in # 阻塞假冒地址攻击(将vic0改成实际的接口名称): antispoof quick for { lo vic0 } # 缺省策略设置为阻止一切数据: block all # 作为客户机,允许访问任何地方: pass out # 缺省允许的服务: # ping pass in inet proto icmp icmp-type echoreq # ssh pass in proto tcp to port ssh # ftp-port(如果ftp客户端不使用主动模式,可取消该规则) pass in proto tcp from port ftp-data
2.2 pf.conf-gate-novpn.ref
# 按照4接口的规格进行设计:内网、外网、dmz和管理接口。 # 定义一些宏和表(接口名称、IP地址根据实际情况调整): int_if="vic0" ext_if="vic1" dmz_if="vic2" #mng_if="vic3" int_net=$int_if:network dmz_net=$dmz_if:network #mng_net=$mng_if:network #dmz_web_server="10.10.20.20" #dmz_ftp_server="10.10.20.20" # tables: table <firewall> const { self } table <lan_net> const { self, $int_net, $dmz_net } #table <lan_net> const { self, $int_net, $dmz_net, $mng_net } # 对于本地loopback接口不做限制: set skip on lo # 处理分片等不规则包: scrub in # NAT部分规则(缺省禁止): # 打开外网接口的nat,这里同时打开pass以跳过nat后还要进行的包过滤检查: #nat pass on $ext_if -> ($ext_if:0) # 一般写法是:"nat pass on $ext_if from !($ext_if) -> ($ext_if:0)", # 这里调整的目的是为了让代理内网到外网ftp的ftp-proxy也可以直接pass。 # ftp-proxy配置,包括内网到外网,内网到dmz: #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" # in --> out.ftp #rdr pass on $int_if proto tcp to !<lan_net> port ftp -> 127.0.0.1 port 8021 # in --> dmz.ftp #rdr pass on $int_if proto tcp to $dmz_net port ftp -> 127.0.0.1 port 8021 # 外网访问dmz的重定向,此时的ftp通过ftp-proxy进行,不需要rdr: # dmz <-- out # https(s) #rdr on $ext_if proto tcp to $ext_if port www -> $dmz_web_server #rdr on $ext_if proto tcp to $ext_if port https -> $dmz_web_server # ftp (see filter section) # FILTER部分规则: # ftp-proxy配置: #anchor "ftp-proxy/*" # 阻塞假冒地址攻击: antispoof quick for { lo $int_if $dmz_if } #antispoof quick for { lo $int_if $dmz_if $mng_if } # 缺省策略设置为阻止一切数据: block all # enable I access anywhere(disabled!!!) #pass out from <firewall> to any # 允许在内网接口和管理接口通过ssh连接网关: pass in quick on $int_if proto tcp to <firewall> port ssh #pass in quick on $mng_if proto tcp to <firewall> port ssh # 允许本地网络的机器ping网关: pass in quick on $int_if inet proto icmp to <firewall> icmp-type echoreq pass in quick on $dmz_if inet proto icmp to <firewall> icmp-type echoreq #pass in quick on $mng_if inet proto icmp to <firewall> icmp-type echoreq # 提供内网用户的dns查询服务: #pass in quick on $int_if proto udp to $int_if port domain # 内网对外网的访问规则: # (外出接口的规则由nat pass解决,ftp规则也在nat部分实现) # ping #pass in quick on $int_if inet proto icmp to !<lan_net> icmp-type echoreq # http(s) #pass in quick on $int_if proto tcp to !<lan_net> port www #pass in quick on $int_if proto tcp to !<lan_net> port https # ftp (see nat section) # 内网对dmz的访问规则: # (需要指定外出接口的规则,包括ftp) # ping #pass in quick on $int_if inet proto icmp to $dmz_net icmp-type echoreq #pass out quick on $dmz_if inet proto icmp from $int_net icmp-type echoreq # http(s) #pass in quick on $int_if proto tcp to $dmz_net port www #pass out quick on $dmz_if proto tcp from $int_net to port www #pass in quick on $int_if proto tcp to $dmz_net port https #pass out quick on $dmz_if proto tcp from $int_net to port https # ftp (see nat section and below) #pass out quick on $dmz_if proto tcp from $dmz_if to port ftp # 外网对dmz网络的访问规则: # (使用synproxy加强安全性) # http(s) #pass in quick on $ext_if proto tcp to $dmz_web_server port www synproxy state #pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port www #pass in quick on $ext_if proto tcp to $dmz_web_server port https synproxy state #pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port https # ftp #pass in quick on $ext_if proto tcp to $ext_if port ftp #pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_ftp_server port ftp user proxy
2.3 pf.conf-server.ref
# 对于本地loopback接口不做限制: set skip on lo # 处理分片等不规则包: scrub in # 阻塞假冒地址攻击(将vic0改成实际的接口名称): antispoof quick for { lo vic0 } # 缺省策略设置为阻止一切数据: block all # 打开的服务(其中ftp同时支持主动和被动模式): # ping #pass in inet proto icmp icmp-type echoreq # ssh #pass in proto tcp to port ssh # http(s) #pass in proto tcp to port www #pass in proto tcp to port https # ftp #pass in proto tcp to port ftp #pass in proto tcp to port > 49151 #pass out proto tcp from port ftp-data