我想阻止一个特定的端口的所有传入的stream量,并把这些被阻止的数据包的源代码ips表…我不知道一个pf.conf的解决scheme,我想我会用另一种技巧但我真的不知道哪个! 也许通过使用监听来自特定pflog接口的tcp转储的脚本,该接口接收关于那些阻塞的分组的日志,并将ips报告给pfctl add-to-table命令。 任何想法的更轻量级的方式来实现它?
我在我的服务器上使用这个configuration,基本上我有一个可信的IP表和一个试图在SSH上进行暴力破解的表(当它向世界开放的时候很less)。
在/ etc / trusted中创build一个新文件,并放置自己的ip地址/ es(每行一个)。
打开/创build/ etc /防火墙,并把你的规则(即HTTP / S,SSH):
####################################################################### me="vtnet0" table <bruteforcers> persist table <trusted> persist file "/etc/trusted" icmp_types = "echoreq" junk_ports="{ 135,137,138,139,445,68,67,3222 }" junk_ip="224.0.0.0/4" set loginterface vtnet0 scrub on vtnet0 reassemble tcp no-df random-id # ---- First rule obligatory "Pass all on loopback" pass quick on lo0 all # ---- Block junk logs block quick proto { tcp, udp } from any to $junk_ip block quick proto { tcp, udp } from any to any port $junk_ports # ---- Second rule "Block all in and pass all out" block in log all pass out all keep state ############### FIREWALL ############################################### # ---- Allow all traffic from my office pass quick proto {tcp, udp} from 1.2.3.4 to $me keep state # ---- Allow incoming Web traffic pass quick proto tcp from any to $me port { 80, 443 } flags S/SA keep state # ---- Block bruteforcers block log quick from <bruteforcers> # ---- Allow SSH from trusted sources, but block bruteforcers pass quick proto tcp from <trusted> to $me port ssh \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 20/60, \ overload <bruteforcers> flush global) # ---- Allow ICMP pass in inet proto icmp all icmp-type $icmp_types keep state pass out inet proto icmp all icmp-type $icmp_types keep state
更新你的/etc/rc.conf
pf_enable="YES" pf_rules="/etc/firewall" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
看看你有没有人在bruteforcers表:
pfctl -t bruteforcers -T show