OpenBSD
Activation
# pfctl -e
# pfctl -d
Configuration
PF 从 /etc/pf.conf 中读取配置信息
pf.conf 组成:
- Macros(宏):用户定义的变量,可以保存IP地址、接口名称等。
- Tables(表):用于保存IP地址列表的数据结构。
- Options(选项):控制PF工作方式的各种选项。
- Filter Rules(过滤规则):允许选择性地过滤或阻止通过任何接口的数据包。
在 boot 以后还可以通过如下命令来配置 PF 操作:
# pfctl -f /etc/pf.conf # Load the pf.conf file
# pfctl -nf /etc/pf.conf # Parse the file, but don't load it
# pfctl -sr # Show the current ruleset
# pfctl -ss # Show the current state table
# pfctl -si # Show filter stats and counters
# pfctl -sa # Show everything it can show
Filter Rules
action [direction] [log] [quick] [on interface] [af] [proto protocol]
[from src_addr [port src_port]] [to dst_addr [port dst_port]]
[flags tcp_flags] [state]
Example
pass in quick on vp0 route-to vlan20 inet proto udp from 192.168.1.3 to 224.0.0.0/4 port = 30490
pass in quick on vlan20 dup-to (vp0 192.168.1.3) inet proto udp from 172.20.2.31 to 224.0.0.0/4 port = 30490
pass out route-to (vlan40 172.20.4.31) inet proto tcp from 172.20.0.0/16 to ! 172.20.0.0/16 port = https modulate state
block drop in log quick on vlan10 inet from 172.20.1.0/24 to ! 172.20.1.0/24
pass out on vlan20 inet proto udp from 172.20.2.11 port = 500 to 172.20.2.1 port = 500
pf.conf example
int_if = "dc0"
lan_net = "192.168.0.0/24"
# table containing all IP addresses assigned to the firewall
table <firewall> const { self }
# don't filter on the loopback interface
set skip on lo0
# scrub incoming packets
match in all scrub (no-df)
# set up a default deny policy
block all
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 to $int_if port ssh
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in on $int_if from $lan_net
pass out on $int_if to $lan_net
# pass tcp, udp, and icmp out on the external (internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked statefully.
pass out on egress proto { tcp udp icmp } all modulate state
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect.
# Uncomment last part to use the tcp syn proxy to proxy the connection.
pass in log on egress proto tcp to ! <firewall> port ssh # synproxy state