freebsd pf 프로필
- # Define macros for each network interface
- ext_if = "{ tun0 }"
- int_if = "{ rl0 }"
- vip_if = "{ rl1 }"
- loop = "lo0"
-
- # Define our networks
- int_net = "{ 192.168.1.0/24 }"
- vip_net = "{ 192.168.2.0/24 }"
- noroute = "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
- ports = "{ 20, 21, 22, 25, 53, 80, 110, 465, 443, 995}"
- squid = "{ 127.0.0.1 }"
-
- icmp_types = "echoreq"
- allproto = "{ tcp, udp, ipv4, icmp, esp, ipencap }"
- bittorent = "{ 2049, 4662, 3076, 5200, 6200, 2223, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889 ,\
- 6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}"
-
- # Define Tables for SSH
- table <sshguard> persist
-
- # Options: tune the behavior of pf, default values are given
- set limit states 200000
- set limit frags 200000
- set limit src-nodes 20000
- set block-policy return
- set optimization aggressive
- set loginterface tun0
- set skip on lo0
- set require-order yes
- set fingerprints "/etc/pf.os"
-
- # Scrub incoming packets
- scrub in all
-
- # Define Queue
- altq on $ext_if cbq bandwidth 2Mb queue { ftp,mail,http,base }
- queue base bandwidth 40% cbq(default)
- queue mail bandwidth 35% priority 3 cbq(borrow red)
- queue http bandwidth 20% cbq(red)
- queue ftp bandwidth 5% cbq(red)
-
- #############
- # NAT Rules #
- #############
- nat on $ext_if from $int_net to any -> $ext_if
- nat on $ext_if from $vip_net to any -> $ext_if
- #nat on $ext_if from {$vip_net,$int_net} to any -> $ext_if
-
- #####################
- # Squid Transparent #
- #####################
- rdr on $int_if proto tcp from $int_net to any port 80 -> $squid port 3128
-
- ###############
- # Port Mapping#
- ###############
- rdr on $ext_if proto tcp from any to $ext_if port 81 -> 192.168.2.7 port 80
- # Activate spoofing protection for the internal interface.
- antispoof quick for $ext_if inet
-
- # Setup a default deny policy
- block all
- block return
-
- # Security settings
- block in quick on $ext_if os NMAP
- block drop in quick on $ext_if from $noroute to any
- block drop out quick on $ext_if from any to $noroute
-
- # Disable All Kinds of Hack Software
- block in quick proto tcp all flags SF/SFRA
- block in quick proto tcp all flags FPU/SFRAUP
- block in quick proto tcp all flags /SFRA
- block in quick proto tcp all flags F/SFRA
- block in quick proto tcp all flags U/SFRAU
-
- # sshguard
- block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
-
- # Block some clients to internet and bittorent download
- block quick on $ext_if inet proto tcp to port $bittorent label "disable bit"
- block quick on $ext_if inet proto tcp from any port $bittorent to any
-
- # Pass ICMP
- #pass in inet proto icmp all icmp-type $icmp_types keep state label "allow ping"
-
- # Pass traffic on the loopback interface in either direction
- pass quick on $loop all
-
- # Pass traffic on the internal interface in either direction
- pass quick on $int_if all
- pass quick on $vip_if all
-
- # Allow access local database
- #pass in log on $ext_if proto tcp to port 3306 flags S/SA keep state
-
- # Allow SSH to me by tun0
- pass in log on $ext_if proto tcp to any port ssh flags S/SA keep state \
- ( max-src-conn 10, max-src-conn-rate 3/10, overload <sshguard> flush ) label "allow ssh"
-
- # Pass traffic on the external interface in either direction
- pass out quick on $ext_if proto { tcp, udp } to any keep state queue base
- pass out quick on $ext_if proto tcp from $int_net to any port { 80, 443 } keep state queue http
- pass out quick on $ext_if proto tcp from $int_net to any port { 20, 21 } keep state queue ftp
- pass out quick on $ext_if proto tcp from $int_net to any port { 25, 110, 465, 995 } keep state queue mail
- pass out on $ext_if proto tcp all modulate state flags S/SA
- pass out on $ext_if all keep state
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
양식 제출 후 제출 버튼 비활성화텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.