【网络工具】pfctl（待补充QNX&Linux）

OpenBSD

Activation

# pfctl -e
# pfctl -d

Configuration

PF 从 /etc/pf.conf 中读取配置信息

pf.conf 组成:

1. Macros（宏）：用户定义的变量，可以保存IP地址、接口名称等。
2. Tables（表）：用于保存IP地址列表的数据结构。
3. Options（选项）：控制PF工作方式的各种选项。
4. Filter Rules（过滤规则）：允许选择性地过滤或阻止通过任何接口的数据包。

在 boot 以后还可以通过如下命令来配置 PF 操作:

# pfctl -f  /etc/pf.conf        # Load the pf.conf file
# pfctl -nf /etc/pf.conf        # Parse the file, but don't load it
# pfctl -sr                # Show the current ruleset
# pfctl -ss                # Show the current state table
# pfctl -si                # Show filter stats and counters
# pfctl -sa                # Show everything it can show

Filter Rules

action [direction] [log] [quick] [on interface] [af] [proto protocol]
       [from src_addr [port src_port]] [to dst_addr [port dst_port]]
       [flags tcp_flags] [state]

Example

pass in quick on vp0 route-to vlan20 inet proto udp from 192.168.1.3 to 224.0.0.0/4 port = 30490
pass in quick on vlan20 dup-to (vp0 192.168.1.3) inet proto udp from 172.20.2.31 to 224.0.0.0/4 port = 30490
pass out route-to (vlan40 172.20.4.31) inet proto tcp from 172.20.0.0/16 to ! 172.20.0.0/16 port = https modulate state
block drop in log quick on vlan10 inet from 172.20.1.0/24 to ! 172.20.1.0/24
pass out on vlan20 inet proto udp from 172.20.2.11 port = 500 to 172.20.2.1 port = 500

pf.conf example

int_if  = "dc0"
lan_net = "192.168.0.0/24"

# table containing all IP addresses assigned to the firewall
table <firewall> const { self }

# don't filter on the loopback interface
set skip on lo0

# scrub incoming packets
match in all scrub (no-df)

# set up a default deny policy
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh

# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in  on $int_if from $lan_net
pass out on $int_if to   $lan_net

# pass tcp, udp, and icmp out on the external (internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked statefully.
pass out on egress proto { tcp udp icmp } all modulate state

# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect.
# Uncomment last part to use the tcp syn proxy to proxy the connection.
pass in log on egress proto tcp to ! <firewall> port ssh # synproxy state