4008
Комментарий:
|
2743
|
Удаления помечены так. | Добавления помечены так. |
Строка 55: | Строка 55: |
ext_if = "fxp0" int_if = "dc0" lan_net = "192.168.0.0/24" |
# # Firewall for Home or Small Office # http://www.openbsd.org/faq/pf/example1.html # |
Строка 59: | Строка 60: |
# table containing all IP addresses assigned to the firewall table <firewall> const { self } |
|
Строка 62: | Строка 61: |
# don't filter on the loopback interface set skip on lo0 |
# macros ext_if="em0" int_if="le0" |
Строка 65: | Строка 65: |
# scrub incoming packets match in all scrub (no-df) |
tcp_services="{ 22, 13 }" icmp_types="echoreq" |
Строка 68: | Строка 68: |
# NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) |
comp3="10.30.50.3" |
Строка 73: | Строка 70: |
# map daemon on 8080 to appear to be on 80 # pass modifier, packets matching the translation are passed without filter rules rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 |
# options set block-policy return set loginterface $ext_if |
Строка 77: | Строка 74: |
# setup a default deny policy block all |
set skip on lo |
Строка 80: | Строка 76: |
# activate spoofing protection for all interfaces antispoof for $ext_if |
# scrub scrub in |
Строка 83: | Строка 79: |
# only allow ssh connections from the local network if it's from the # trusted computer, 192.168.0.15. use "block return" so that a TCP RST is # sent to close blocked connections right away. use "quick" so that this # rule is not overridden by the "pass" rules below. block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh |
# nat/rdr nat on $ext_if inet from !($ext_if) -> ($ext_if:0) |
Строка 89: | Строка 82: |
# pass all traffic to and from the local network. # these rules will create state entries due to the default # "keep state" option which will automatically be applied. pass in on $int_if from $lan_net pass out on $int_if to $lan_net |
rdr on $ext_if proto tcp from any to any port 80 -> $comp3 |
Строка 95: | Строка 84: |
# pass tcp, udp, and icmp out on the external (Internet) interface. # tcp connections will be modulated, udp/icmp will be tracked # statefully. pass out on $ext_if proto { tcp udp icmp } all modulate state |
# filter rules block in |
Строка 100: | Строка 87: |
# allow ssh connections in on the external interface as long as they're # NOT destined for the firewall (i.e., they're destined for a machine on # the local network). log the initial packet so that we can later tell # who is trying to connect. # Uncomment last part to use the tcp syn proxy to proxy the connection. pass in log on $ext_if proto tcp to ! <firewall> port ssh # synproxy state |
pass out antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services pass in on $ext_if inet proto tcp from any to $comp3 port 80 synproxy state pass in inet proto icmp all icmp-type $icmp_types pass quick on $int_if no state |
Введение в FreeBSD PF
Daniel Hartmeier (CX, 2001) (ip/ipnat gone)
http://ru.wikipedia.org/wiki/Packet_Filter
ядро + pfctl
Принципы:
- Last wins:
- оптимизация правил и быстрый просмотр (⇒ большие объёмы правил, напр., генераты)
- предсказуемое время
- ⇒ быстрый поиск (таблицы адресов)
- «якоря» (множества правил)
- …
- Команда = задача:
- ⇒ списки и макросы (развёртываются в несколько правил) + таблицы
- комплексные понятия (напр., state: +icmp, обслуживающий соединения; +UDP, NAT, …)
- умолчания (напр., keep state по умолчанию, разные тайминги и т. п.)
- различные формы (напр, адрес-ip ≠ адрес-FQDN, можно и то и то)
- Атомарные задачи: scrub, reassemble, antispoof, OS fp, …
- очереди и шейпинг
Уровень IP и выше.
Порядок правил:
- options
- normalization
- queueing
- translation
- filtering
pfctl
Command Purpose
pfctl -e Enable PF.
pfctl -d Disable PF.
pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules and reload /etc/pf.conf.
pfctl -s [ rules | nat state ] Report on the filter rules, NAT rules, or state table.
pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset. -a anchor
pflog
dev pflog0 + pflogd (=tcpdump)
Пример
# # Firewall for Home or Small Office # http://www.openbsd.org/faq/pf/example1.html # # macros ext_if="em0" int_if="le0" tcp_services="{ 22, 13 }" icmp_types="echoreq" comp3="10.30.50.3" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if inet from !($ext_if) -> ($ext_if:0) rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules block in pass out antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services pass in on $ext_if inet proto tcp from any to $comp3 port 80 synproxy state pass in inet proto icmp all icmp-type $icmp_types pass quick on $int_if no state
pfsync/CARP
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html
http://www.freebsd.org/cgi/man.cgi?query=pfctl