Различия между версиями 3 и 4
Версия 3 от 2014-03-14 14:36:51
Размер: 4008
Редактор: FrBrGeorge
Комментарий:
Версия 4 от 2014-03-21 11:06:35
Размер: 2743
Редактор: FrBrGeorge
Комментарий:
Удаления помечены так. Добавления помечены так.
Строка 55: Строка 55:
ext_if = "fxp0"
int_if = "dc0"
lan_net = "192.168.0.0/24"
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
Строка 59: Строка 60:
# table containing all IP addresses assigned to the firewall
table <firewall> const { self }
Строка 62: Строка 61:
# don't filter on the loopback interface
set skip on lo0
# macros
ext_if="em0"
int_if="le0"
Строка 65: Строка 65:
# scrub incoming packets
match in all scrub (no-df)
tcp_services="{ 22, 13 }"
icmp_types="echoreq"
Строка 68: Строка 68:
# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
comp3="10.30.50.3"
Строка 73: Строка 70:
# map daemon on 8080 to appear to be on 80
# pass modifier, packets matching the translation are passed without filter rules
rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
# options
set block-policy return
set loginterface $ext_if
Строка 77: Строка 74:
# setup a default deny policy
block all
set skip on lo
Строка 80: Строка 76:
# activate spoofing protection for all interfaces
antispoof for $ext_if
# scrub
scrub in
Строка 83: Строка 79:
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh
# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
Строка 89: Строка 82:
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in on $int_if from $lan_net
pass out on $int_if to $lan_net
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
Строка 95: Строка 84:
# pass tcp, udp, and icmp out on the external (Internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked
# statefully.
pass out on $ext_if proto { tcp udp icmp } all modulate state
# filter rules
block in
Строка 100: Строка 87:
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect.
# Uncomment last part to use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp to ! <firewall> port ssh # synproxy state
pass out

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services

pass in on $ext_if inet proto tcp from any to $comp3 port 80 synproxy state

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

Введение в FreeBSD PF

Daniel Hartmeier (CX, 2001) (ip/ipnat gone)

http://ru.wikipedia.org/wiki/Packet_Filter

ядро + pfctl

Принципы:

  • Last wins:
    • оптимизация правил и быстрый просмотр (⇒ большие объёмы правил, напр., генераты)
    • предсказуемое время
    • ⇒ быстрый поиск (таблицы адресов)
    • «якоря» (множества правил)
  • Команда = задача:
    • ⇒ списки и макросы (развёртываются в несколько правил) + таблицы
    • комплексные понятия (напр., state: +icmp, обслуживающий соединения; +UDP, NAT, …)
    • умолчания (напр., keep state по умолчанию, разные тайминги и т. п.)
    • различные формы (напр, адрес-ip ≠ адрес-FQDN, можно и то и то)
    • Атомарные задачи: scrub, reassemble, antispoof, OS fp, …
    • очереди и шейпинг

Уровень IP и выше.

Порядок правил:

  1. options
  2. normalization
  3. queueing
  4. translation
  5. filtering

pfctl

Command Purpose

pfctl -e Enable PF.

pfctl -d Disable PF.

pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.

pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.

pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. -a anchor

pflog

dev pflog0 + pflogd (=tcpdump)

Пример

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
ext_if="em0"
int_if="le0"

tcp_services="{ 22, 13 }"
icmp_types="echoreq"

comp3="10.30.50.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in

pass out

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services

pass in on $ext_if inet proto tcp from any to $comp3 port 80 synproxy state

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

pfsync/CARP

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

http://www.freebsd.org/cgi/man.cgi?query=pfctl

http://www.freebsd.org/cgi/man.cgi?query=pf.conf

http://www.openbsd.org/faq/pf/filter.html

LecturesCMC/UnixFirewalls2014/04_AdvantagesPF (последним исправлял пользователь FrBrGeorge 2014-03-22 16:45:23)