freebsd防火墙配置

分析这条配置 108: block in log on $int_if proto icmp from { $int_net, 192.168.165.130 }
这条规则表示阻止从内部网络（`$int_net`）和特定IP地址（`192.168.165.130`）发出的ICMP（Internet Control Message Protocol，互联网控制消息协议）协议的入站数据包在内部接口（`$int_if`）上。

- `block in` 指示防火墙阻止入站数据包。
- `log` 表示防火墙会将这些被阻止的数据包的信息记录到日志中。
- `on $int_if` 指示这个规则应用在内部接口上。
- `proto icmp` 表示这个规则针对的是ICMP协议的数据包。
- `from { $int_net, 192.168.165.130 }` 表示这个规则针对的是从内部网络或者IP地址`192.168.165.130`发出的数据包。

所以这条规则的大致含义是：记录并阻止从内部网络或者IP地址192.168.165.130发出的所有ICMP协议的入站数据包。```powershell
0: # UTMFW pf rules
1: # See pf.conf(5) and /etc/examples/pf.conf
2: # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
3: # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
4:
5: int_if = “em0”
6: ext_if = “em0”
7: int_net = “192.168.1.0/24”
8:
9: # MSN, ICQ/AIM, Yahoo, IRC
10: im_ports = “{ 1863, 5190, 5050, 6667 }”
11:
12: # FCM ports for Firebase push notifications
13: fcm_ports = “{ 5228, 5229, 5230 }”
14:
15: openvpn = “{ tun0, tun1 }”
16:
17: table persist file “/etc/pf.restrictedips”
18: table persist
19: table persist
20: table persist
21:
22: set loginterface $int_if
23:
24: # Do not skip lo, we have rules for lo conns
25: # set skip on lo
26:
27: match in all scrub (no-df)
28:
29: # FTP-proxy
30: anchor “ftp-proxy/*”
31: pass in log quick on $int_if proto tcp from $int_net to port ftp divert-to lo port 8021
32:
33: # Spamd spam deferral daemon
34: pass in log quick on $ext_if proto tcp from to port smtp divert-to lo port spamd
35: pass in log quick on $ext_if proto tcp from ! to port smtp divert-to lo port spamd
36:
37: # Web filter
38: # Pass http packets to SSLproxy, which relays them to web filter listening on lo 8080
39: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port www divert-to lo port 8081
40: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port https divert-to lo port 8443
41:
42: # POP3 proxy
43: # SSLproxy handles both plain and secure pop3, so that pop3 proxy gets the src addr
44: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port pop3 divert-to lo port 8994
45: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port pop3s divert-to lo port 8995
46:
47: # SMTP proxy
48: # SSLproxy handles both plain and secure smtp, so that smtp proxy gets the src addr
49: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port smtp divert-to lo port 8464
50: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port 465 divert-to lo port 8465
51: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port submission divert-to lo port 8466
52:
53: # Snort IPS inline inspects http, pop3, and smtp traffic, both plain and decrypted by SSLproxy
54: pass in quick on lo proto tcp to port { 8080, 8110, 9199 } divert-packet port 700
55:
56: # IM proxy
57: pass in log quick on $int_if proto tcp from $in{t}_{n}etto!$int_if port $im_ports divert-to lo port 16667
58:
59: # NAT
60: match out log on $ex{t}_{i}finetfrom($int_if:network) nat-to ($ext_if)
61:
62: # Do not enable antispoof on lo or $int_if directly, a few of the antispoof rules break divert rules on lo
63: # Instead, add the ones which do not break divert rules
64: # antispoof quick for { lo, $int_if }
65: block drop in log quick on !lo inet6 from ::1 to any
66: block drop in log quick on !lo inet from 127.0.0.0/8 to any
67: block drop in log quick inet6 from ::1 to any
68: block drop in log quick on lo inet6 from fe80::1 to any
69:
70: # Snort IPS passive mode
71: block in log quick from
72: block out log quick to
73:
74: # BLOCK ALL TRAFFIC BY DEFAULT
75: # Do not block all including lo, it breaks divert rules on lo
76: # block log all
77: # Do not pass all on lo either, it breaks divert-packet rule for http PUT method for large files
78: # pass on lo flags any
79: # Instead, block other interfaces individually
80: block log on { $int_if, $ext_if } all
81:
82: # pass tcp, udp, and icmp out on the external (Internet) interface
83: pass out log on $ext_if proto { tcp, udp, icmp }
84:
85: # Block direct network access to UTM services using SSLproxy
86: block log on { $int_if, $ext_if } proto tcp user { _e2guardian, _p3scan, _smtp-gated }
87: # Snort IDS can listen in only
88: block out log on { $int_if, $ext_if } proto tcp user _snort
89:
90: # SSH connection to/from UTMFW
91: pass in log on $int_if proto tcp from $int_net to $int_if port ssh
92: pass out log on $int_if proto tcp from $int_if to port ssh
93:
94: # UTMFW Web Administration Interface
95: pass in log on $int_if proto tcp from $int_net to $int_if port { www, https }
96:
97: # Firebase push notifications for internal mobile devices
98: # pass in log on $int_if proto tcp from $int_net to port $fcm_ports
99:
100: # DNS queries to UTMFW
101: pass in log on $int_if proto { tcp, udp } from $int_net to $int_if port { domain, bootps }
102:
103: # UTMFW proxies
104: pass out log on $ex{t}_{i}fprototcpfrom($ext_if) to port $im_ports
105: pass in log on $ext_if proto tcp from port $i{m}_{p}ortsto($ext_if)
106:
107: # ping
108: pass in log on $int_if proto icmp from $int_net
109: pass out log on $int_if proto icmp from $int_if to $int_net
110:
111: # Secure Mail access: IMAPs
112: pass in log on $int_if proto tcp from $in{t}_{n}etto!$int_if port imaps
113:
114: # VPN passthru
115: # pass in log on $int_if proto esp from $int_net
116: # pass in log on $int_if proto { tcp, udp } from $int_net to port { isakmp, 4500 }
117:
118: # OpenVPN
119: # pass in log on $ex{t}_{i}fprototcp,udpto($ext_if) port 1194
120: # pass log on $openvpn
121:
122: # File sharing applications
123: pass in log on $int_if proto { tcp, udp } from $int_net to port socks
124:
125: # Block RestrictedIPs
126: block in log on $int_if proto { tcp, udp } from to port { 16667, socks }
127:
128: # Apply AfterHours rules
129: anchor “AfterHours”
这个PF防火墙配置文件包含了一系列规则，用于控制网络流量。以下是每个规则的详细解析：

1. 行5-8: 定义了内部网络接口（int_if）、外部网络接口（ext_if）和内部网络地址（int_net）。

2. 行10-15: 定义了即时消息端口（im_ports）、Firebase推送通知端口（fcm_ports）和OpenVPN接口（openvpn）。

3. 行17-20: 定义了一些持久化的表，包含限制的IP地址、垃圾邮件防御服务、snort入侵检测系统等。

4. 行22: 设置日志接口为内部接口。

5. 行27: 对所有入站数据包进行scrub处理，scrub用于规范化、随机化或删除数据包的头部。

6. 行30-55: 定义了一系列用于处理特定流量的规则，例如FTP代理、垃圾邮件防御、Web过滤、POP3代理、SMTP代理和Snort IPS。

7. 行59: 定义了网络地址转换（NAT）规则，将内部网络的出站数据包的源地址改写为外部接口的地址。

8. 行65-69: 定义了一些防欺诈规则，阻止源地址被伪造的数据包。

9. 行71-72: 定义了一些Snort IPS的被动模式规则，阻止来自已知恶意IP地址的流量。

10. 行80: 默认阻塞所有流量。

11. 行83: 允许在外部接口上流出的TCP、UDP和ICMP协议的流量。

12. 行90-124: 定义了一系列的规则，例如允许SSH连接、Web管理界面、DNS查询、UTMFW代理、ping、IMAPs、VPN通道、OpenVPN、文件共享应用等。

13. 行125-126: 定义了一些阻止来自受限IP地址的流量的规则。

14. 行128-129: 应用"AfterHours"锚点的规则。

这个配置文件的具体内容会根据网络环境和安全需求的不同而有所不同。对于PF防火墙的详细使用方法，可以参考PF防火墙的官方文档。