Введение в FreeBSD PF

Daniel Hartmeier (CX, 2001) (ip/ipnat gone)

http://ru.wikipedia.org/wiki/Packet_Filter

ядро + pfctl

Принципы:

Уровень IP и выше.

Порядок правил:

  1. options
  2. normalization
  3. queueing
  4. translation
  5. filtering

pfctl

Command Purpose

pfctl -e Enable PF.

pfctl -d Disable PF.

pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.

pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.

pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. -a anchor

pflog

dev pflog0 + pflogd (=tcpdump)

Пример

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
ext_if="em0"
int_if="le0"

tcp_services="{ 22, 13 }"
icmp_types="echoreq"

comp3="10.30.50.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in

pass out

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services

pass in on $ext_if inet proto tcp from any to $comp3 port 80 synproxy state

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

pfsync/CARP

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

http://www.freebsd.org/cgi/man.cgi?query=pfctl

http://www.freebsd.org/cgi/man.cgi?query=pf.conf

http://www.openbsd.org/faq/pf/filter.html

LecturesCMC/UnixFirewalls2014/04_AdvantagesPF (последним исправлял пользователь FrBrGeorge 2014-03-22 13:45:23)