服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 在OSX下使用PF,但跳过本地界面
Intereting Posts
从请求/响应对创build一个SSL证书 端口低于1024 Cisco SPA系列电话是否可以与CallManager / CME一起使用? AD MMC Tools不同意“networking用户”和“networking组”。 哪个是错的? 当使用配额时,iptables计数器还原,不按预期工作 Exchange 2010 CAS – 如何使OWA成为前沿? 清漆通配符清除 同时使用uwsgi和gunicorn或完全切换到gunicorn? 如何使phpMyAdmin要求我的用户名和密码 识别在IIS6中启用了FPX的站点 Dovecot无法看到用户主目录 Sql Server 2008和Moss 2007 AWStats cron job'awstats.pl'需要24小时以上 vconfig不标记带有vlan标签的传出数据包(Ubuntu) apache和ajp性能

在OSX下使用PF,但跳过本地界面

我在OSX下使用PF来强制操作系统通过VPN将所有外部连接连接到Ipredator。 但是,一旦我开始PF,所有本地连接都被阻塞,即使我以为我告诉PF跳过这个界面。 有人在这里熟悉在OSX下使用PF,可以给我一个提示吗? 这是我的pf.conf: 

# # com.apple anchor point # #scrub-anchor "com.apple/*" #nat-anchor "com.apple/*" #rdr-anchor "com.apple/*" #dummynet-anchor "com.apple/*" #anchor "com.apple/*" #load anchor "com.apple" from "/etc/pf.anchors/com.apple" wifi=en0 wifi2=en1 lan1=en2 lan2=en3 lan3=en4 lan4=en5 lan5=en6 vpn=tun0 vpn2=tap0 # Default block policy is sending a RST. This allows applications to quickly # notice that they are not allowed to connect. set block-policy return set skip on lo0 set skip on $vpn # Don't filter on local loopback or the VPN interface. #set skip on { lo0 $vpn } # Scrub all incoming packets. scrub in all # Don't allow IPv6 at all. This is sad, but IPredator doesn't support it. block quick inet6 # By default, don't allow anything on the actual physical links. block on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5} # Allow DHCP. # I could probably be more specific than "from any", but didn't find a way to # specify the link's local network universally. "from $wifi:network" works, but # "from $ether:network" for example doesn't as long as $ether does not exist. pass quick on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto udp from any port 67:68 # Allow DNS pass out quick proto udp to any port 53 # Allow iPredator VPN. # The destination address specification is a bit loose, but I couldn't get a # complete list of hosts. Only allowing UDP 1194 should be enough to keep # possible risks to a minimum. pass quick proto udp to 46.246.32.0/19 port 1194 # vim: ft=pf

提前致谢!

诺伯特

同时我做了更多的debugging。 我似乎有一个问题是线路: 

 set skip on lo0 set skip on $vpn

似乎我需要把它们结合起来 

 set skip on { lo0, $vpn }

不过,效果还是一样的。 本地连接仍然被阻止。 当我列出规则集时,似乎跳过命令没有在规则集中结束: 

 sudo pfctl -sr [15:45:33] No ALTQ support in kernel ALTQ related functions disabled scrub in all fragment reassemble block drop quick inet6 all block drop on en0 all block drop on en1 all block drop on en2 all block drop on en3 all block drop on en4 all block drop on en5 all block drop on en6 all pass quick on en0 proto udp from any port 67:68 to any keep state pass quick on en1 proto udp from any port 67:68 to any keep state pass quick on en2 proto udp from any port 67:68 to any keep state pass quick on en3 proto udp from any port 67:68 to any keep state pass quick on en4 proto udp from any port 67:68 to any keep state pass quick on en5 proto udp from any port 67:68 to any keep state pass quick on en6 proto udp from any port 67:68 to any keep state pass out quick proto udp from any to any port = 53 keep state pass quick inet proto udp from any to 46.246.32.0/19 port = 1194 keep state

很奇怪….