当然,我正在创build一个基于OpenBSD 6.0 pf的网关。 根据我在pf手册页和OpenBSD pf FAQ中读到的内容以及互联网上的一些示例,我能够configuration防火墙。 但是我不确定我是否正确:
## Macros wan="WAN interface" wan_ip="WAN IP address" lan="LAN interface" lan_ip="LAN IP address" lan_nw="LAN network address with subnetmask" man="management interface" man_ip="management ip address" lo="lo0" ## TABLES table <spammers> persist file "/etc/spammers.txt" ## OPTIONS set block-policy drop # debug lvl: none - urgent - misc - loud set debug none set limit { frags 2000, states 20000, src-nodes 2000, tables 1000, table-entries 100000 } set loginterface { $wan, $lan, $man } set optimization normal set reassemble yes set ruleset-optimization none set skip on $lo set state-defaults pflow, no-sync set state-policy if-bound ## TRAFFIC NORMALIZATION scrub on $wan all reassemble tcp scrub in on $wan all fragment reassemble max-mss 1440 scrub out on $wan all fragment reassemble random-id no-df # For NFS scrub in on $lan all no-df scrub out on $lan all no-df antispoof for { $lo, $wan, $lan, $man } ## QUEUEING RULES ## TRANSLATION RULES (NAT) nat on $wan from $lan_nw to any -> $wan_ip ## FILTER RULES # Block everything (inbound AND outbound on ALL interfaces) by default (catch-all) block all # Block everything comming from and to spam IP's block in on $wan from <spammers> to any block out on $wan from any to <spammers> # Activate spoofing protection for all interfaces block in on all from urpf-failed # Default TCP policy block return-rst in log on $wan proto TCP all pass in quick on $man proto TCP from any to $man_ip port 22 flags S/FSRA keep state # Default UDP policy block in log on $wan proto udp all # Provide NTP to LAN and mgmt network. pass in quick on $lan proto UDP from any to $lan_ip port 123 pass in quick on $man proto UDP from any to $man_ip port 123 # Default ICMP policy block in log on $wan proto icmp all pass in quick on $wan proto icmp from any to $wan_ip echoreq keep state block out on $wan all pass out quick on $wan from $wan_ip to any keep state 这足以创build一个强化的网关路由器吗? 有人可以检查我的configuration,并提供一些反馈或指针?
您的第一个清理规则是多余的 – 您在接下来的两条规则中重复同样的效果。
quick制定特定的阻止规则,否则可能会被以后的规则覆盖。 (默认是最后提到的操作,除非给出了quick ,这在当时有效地脱离了规则评估)。 特别是对于你的初始“块”规则,所有不明确匹配的东西都将被阻塞,所以你的大部分后面的块规则是多余的。
testing时,使用“log”,并监视pflog0接口。 也可以在pfctl的显示规则( pfctl -vsr )上使用详细模式来查看规则的匹配计数,以确保它们实际上正在执行某些操作。