Различия между версиями 1 и 2
Версия 1 от 2014-03-14 14:15:20
Размер: 3605
Редактор: FrBrGeorge
Комментарий:
Версия 2 от 2014-03-14 14:33:17
Размер: 4018
Редактор: FrBrGeorge
Комментарий:
Удаления помечены так. Добавления помечены так.
Строка 35: Строка 35:
Command Purpose Command Purpose
Строка 37: Строка 37:
pfctl -e Enable PF. pfctl -e Enable PF.
Строка 39: Строка 39:
pfctl -d Disable PF. pfctl -d Disable PF.
Строка 41: Строка 41:
pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf. pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.
Строка 43: Строка 43:
pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table. pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.
Строка 45: Строка 45:
pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset.
Строка 67: Строка 67:

# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

# map daemon on 8080 to appear to be on 80
# pass modifier, packets matching the translation are passed without filter rules
rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080

Введение в FreeBSD PF

Daniel Hartmeier (CX, 2001) (ip/ipnat gone)

http://ru.wikipedia.org/wiki/Packet_Filter

ядро + pfctl

Принципы:

  • Last wins:
    • оптимизация правил и быстрый просмотр (⇒ большие объёмы правил, напр., генераты)
    • предсказуемое время
    • ⇒ быстрый поиск (таблицы адресов)
    • «якоря» (множества правил)
  • Команда = задача:
    • ⇒ списки и макросы (развёртываются в несколько правил) + таблицы
    • комплексные понятия (напр., state: +icmp, обслуживающий соединения; +UDP, NAT, …)
    • умолчания (напр., keep state по умолчанию, разные тайминги и т. п.)
    • различные формы (напр, адрес-ip ≠ адрес-FQDN, можно и то и то)
    • Атомарные задачи: scrub, reassemble, antispoof, OS fp, …
    • очереди и шейпинг

Уровень IP и выше.

Порядок правил:

  1. options
  2. normalization
  3. queueing
  4. translation
  5. filtering

pfctl

Command Purpose

pfctl -e Enable PF.

pfctl -d Disable PF.

pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.

pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.

pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. -a anchor

pflog

dev pflog0 + pflogd (=tcpdump)

Пример

ext_if  = "fxp0"
int_if  = "dc0"
lan_net = "192.168.0.0/24"

# table containing all IP addresses assigned to the firewall
table <firewall> const { self }

# don't filter on the loopback interface
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

# map daemon on 8080 to appear to be on 80
# pass modifier, packets matching the translation are passed without filter rules
rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080

# setup a default deny policy
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh

# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in  on $int_if from $lan_net
pass out on $int_if to $lan_net

# pass tcp, udp, and icmp out on the external (Internet) interface. 
# tcp connections will be modulated, udp/icmp will be tracked
# statefully.
pass out on $ext_if proto { tcp udp icmp } all modulate state

# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. 
# Uncomment last part to use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp to ! <firewall> port ssh # synproxy state

pfsync/CARP

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

http://www.freebsd.org/cgi/man.cgi?query=pfctl

http://www.freebsd.org/cgi/man.cgi?query=pf.conf

http://www.openbsd.org/faq/pf/filter.html

LecturesCMC/UnixFirewalls2014/04_AdvantagesPF (последним исправлял пользователь FrBrGeorge 2014-03-22 16:45:23)