⇤ ← Версия 1 от 2014-03-14 14:15:20
3605
Комментарий:
|
4018
|
Удаления помечены так. | Добавления помечены так. |
Строка 35: | Строка 35: |
Command Purpose | Command Purpose |
Строка 37: | Строка 37: |
pfctl -e Enable PF. | pfctl -e Enable PF. |
Строка 39: | Строка 39: |
pfctl -d Disable PF. | pfctl -d Disable PF. |
Строка 41: | Строка 41: |
pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf. | pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf. |
Строка 43: | Строка 43: |
pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table. | pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table. |
Строка 45: | Строка 45: |
pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. | pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. |
Строка 67: | Строка 67: |
# NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) # map daemon on 8080 to appear to be on 80 # pass modifier, packets matching the translation are passed without filter rules rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 |
Введение в FreeBSD PF
Daniel Hartmeier (CX, 2001) (ip/ipnat gone)
http://ru.wikipedia.org/wiki/Packet_Filter
ядро + pfctl
Принципы:
- Last wins:
- оптимизация правил и быстрый просмотр (⇒ большие объёмы правил, напр., генераты)
- предсказуемое время
- ⇒ быстрый поиск (таблицы адресов)
- «якоря» (множества правил)
- …
- Команда = задача:
- ⇒ списки и макросы (развёртываются в несколько правил) + таблицы
- комплексные понятия (напр., state: +icmp, обслуживающий соединения; +UDP, NAT, …)
- умолчания (напр., keep state по умолчанию, разные тайминги и т. п.)
- различные формы (напр, адрес-ip ≠ адрес-FQDN, можно и то и то)
- Атомарные задачи: scrub, reassemble, antispoof, OS fp, …
- очереди и шейпинг
Уровень IP и выше.
Порядок правил:
- options
- normalization
- queueing
- translation
- filtering
pfctl
Command Purpose
pfctl -e Enable PF.
pfctl -d Disable PF.
pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.
pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.
pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. -a anchor
pflog
dev pflog0 + pflogd (=tcpdump)
Пример
ext_if = "fxp0" int_if = "dc0" lan_net = "192.168.0.0/24" # table containing all IP addresses assigned to the firewall table <firewall> const { self } # don't filter on the loopback interface set skip on lo0 # scrub incoming packets match in all scrub (no-df) # NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) # map daemon on 8080 to appear to be on 80 # pass modifier, packets matching the translation are passed without filter rules rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 # setup a default deny policy block all # activate spoofing protection for all interfaces block in quick from urpf-failed # only allow ssh connections from the local network if it's from the # trusted computer, 192.168.0.15. use "block return" so that a TCP RST is # sent to close blocked connections right away. use "quick" so that this # rule is not overridden by the "pass" rules below. block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh # pass all traffic to and from the local network. # these rules will create state entries due to the default # "keep state" option which will automatically be applied. pass in on $int_if from $lan_net pass out on $int_if to $lan_net # pass tcp, udp, and icmp out on the external (Internet) interface. # tcp connections will be modulated, udp/icmp will be tracked # statefully. pass out on $ext_if proto { tcp udp icmp } all modulate state # allow ssh connections in on the external interface as long as they're # NOT destined for the firewall (i.e., they're destined for a machine on # the local network). log the initial packet so that we can later tell # who is trying to connect. # Uncomment last part to use the tcp syn proxy to proxy the connection. pass in log on $ext_if proto tcp to ! <firewall> port ssh # synproxy state
pfsync/CARP
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html
http://www.freebsd.org/cgi/man.cgi?query=pfctl