有没有人在这里熟悉在OSX下使用PF? 我使用PF为了强制我的MacBook上的所有stream量通过VPN。 为了做到这一点,我使用了下面的pf.conf:
wifi=en0 wifi2=en1 lan1=en2 lan2=en3 lan3=en4 lan4=en5 lan5=en6 #vpn=tun0 vpn=utun0 #vpn2=tap0 set block-policy return set skip on {lo0,$vpn} # Scrub all incoming packets. scrub in all block in all block out all # Don't allow IPv6 at all. This is sad, but IPredator doesn't support it. block quick inet6 # Allow DHCP. # I could probably be more specific than "from any", but didn't find a way to # specify the link's local network universally. "from $wifi:network" works, but # "from $ether:network" for example doesn't as long as $ether does not exist. pass quick on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto udp from any port 67:68 # Allow DNS pass out quick proto udp to any port 53 # Allow iPredator VPN. # The destination address specification is a bit loose, but I couldn't get a # complete list of hosts. Only allowing UDP 1194 should be enough to keep # possible risks to a minimum. pass quick proto udp to 46.246.32.0/19 port 1194 #Alllo all incoming and outgoind local traffic pass in on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto { tcp, udp, icmp } from 192.168.1.0/24 to 192.168.1.0/24 pass out on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto { tcp, udp, icmp } from 192.168.1.0/24 to 192.168.1.0/24 基本上,防火墙的工作原理应该如此。 但是,当我把我的MacBook睡觉并再次打开时,整个防火墙挂起。 即使VPN连接仍处于活动状态,也不允许连接。 在这种情况下,我需要再次启动防火墙(pfctl -e),然后再次运行。 它也经常发生VPN连接丢失,防火墙阻止所有通信(这是正确的),VPN自动重新连接,但防火墙不知道,直到我重新启动。
这里有人遇到这样的行为吗? 有没有什么窍门呢? 感谢Norbert