zoukankan      html  css  js  c++  java
  • fcex pf.conf

    /etc/pf.conf
    #pfctl -e -F all -f /etc/pf.conf

    #pfctl -f /etc/pf.conf # ....pf.conf ...
    #pfctl -nf /etc/pf.conf # .............
    #pfctl -Nf /etc/pf.conf # ... NAT ....
    #pfctl -Rf /etc/pf.conf # ............

    #pfctl -sn # ..... NAT ...
    #pfctl -sr # ..........
    #pfctl -ss # ...........
    #pfctl -si # ..............
    #pfctl -sa # ............

    ext_if="vlan1820" # replace with actual external interface name i.e., dc0
    int_if="vlan1900" # replace with actual internal interface name i.e., dc1
    edu_if="vlan1810"
    zhigao_if="vlan1910"

    intnet="192.168.0.0/16"
    edunet="10.0.0.0/8"
    external_addr="220.189.209.163"
    routerip ="220.189.209.161"

    loop = "127.0.0.1"

    priv_nets = "{127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32}"

    tcp_services = "80"
    icmp_types ="echoreq"

    InsideManagerIPs = "192.168.10.103"
    InsiteManagerOpenPorts = "4899"
    # Tables: similar to macros, but more flexible for many addresses.
    #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

    # Options: tune the behavior of pf, default values are given.
    #set timeout { interval 10, frag 30 }
    #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
    #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
    #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
    #set timeout { icmp.first 20, icmp.error 10 }
    #set timeout { other.first 60, other.single 30, other.multiple 60 }
    #set timeout { adaptive.start 0, adaptive.end 0 }
    #set limit { states 10000, frags 5000 }
    #set loginterface none
    set optimization aggressive
    scrub in all
    #set optimization normal
    #set block-policy drop
    #set require-order yes
    #set fingerprints "/etc/pf.os"

    # Queueing: rule-based bandwidth control.
    #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
    #queue dflt bandwidth 5% cbq(default)
    #queue developers bandwidth 80%
    #queue marketing bandwidth 15%

    # Translation: specify how addresses are to be mapped or redirected.
    # nat: packets going out through $ext_if with source address $internal_net will
    # get translated as coming from the address of $ext_if, a state is created for
    # such packets, and incoming packets will be redirected to the internal address.
    nat on $ext_if from $intnet to any -> ($ext_if)
    nat on $edu_if from $intnet to any -> ($edu_if)

    # rdr: packets coming in on $ext_if with destination $external_addr:1234 will
    # be redirected to 10.1.1.1:5678. A state is created for such packets, and
    # outgoing packets will be translated as coming from the external address.
    #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678

    #rdr on $int_if inet proto tcp from 192.168.0.0/16 to any port www -> 127.0.0.1 port 3128
    rdr pass on $ext_if proto tcp from any to $ext_if port www -> 192.168.0.3 port www
    rdr pass on $edu_if proto tcp from any to $edu_if port www -> 192.168.0.3 port www

    rdr pass on $ext_if proto tcp from any to $ext_if port ftp -> 192.168.0.3 port ftp
    rdr pass on $edu_if proto tcp from any to $edu_if port ftp -> 192.168.0.3 port ftp

    rdr pass on $ext_if proto tcp from any to $ext_if port 4893 -> 192.168.0.3 port 4899

    pass in on $int_if inet proto tcp from any to 192.168.0.2 port 3128 keep state
    pass out on $ext_if inet proto tcp from any to any port www keep state

    # rdr outgoing FTP requests to the ftp-proxy
    #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

    # spamd-setup puts addresses to be redirected into table <spamd>.
    #table <spamd> persist
    #no rdr on { lo0, lo1 } from any to any
    #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

    # Filtering: the implicit first two rules are
    #pass in all
    #pass out all

    # block all incoming packets but allow ssh, pass all outgoing tcp and udp
    # connections and keep state, logging blocked packets.
    #block in all
    pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
    pass in on $edu_if proto tcp from any to $edu_if port 22 keep state
    pass in on $int_if proto tcp from any to $int_if port 22 keep state
    pass out on $ext_if proto { tcp, udp } all keep state
    pass out on $edu_if proto { tcp, udp } all keep state
    #pass all on $int_if all
    # pass incoming packets destined to the addresses given in table <foo>.
    #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state

    # pass incoming ports for ftp-proxy
    #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

    # assign packets to a queue.
    #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
    #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

    #block all
    pass in quick on $int_if all
    pass out quick on $int_if all
    pass in quick on $loop all
    pass out quick on $loop all # ÔÊÔS localhost ·â°üͨÐÐ
    block in quick on $ext_if inet from $priv_nets to any
    #block in log quick on $ext inet from any to $priv_nets

    LSassVirusPort = "{445, 135, 139, 593, 1433, 5554, 9996, 9995}"
    block quick on $ext_if inet proto tcp from any to any port $LSassVirusPort
    block quick on $edu_if inet proto tcp from any to any port $LSassVirusPort
    block quick on $zhigao_if inet proto tcp from any to any port $LSassVirusPort

    #gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
    #GameDenyClients ="{192.168.1.0/24, 192.168.0.0/24, 192.168.20.0/24, 192.168.21.0/24}"
    #GameServerIps = "{204.251.15.167, 61.152.93.145}"
    #block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
    #block quick on $ext_if from $GameServerIps to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $GameServerIps

    #LSassVirusIp ="{192.168.0.165}"
    #block quick on $int_if from $LSassVirusIp to any

    #SoftRegistry = "{66.40.33.130, 218.242.90.0/24, 61.228.35.0/24, 61.175.171.12}"
    #block quick on $ext_if from $SoftRegistry to any
    #block quick on $int_if from any to $SoftRegistry

    #AdServers3721 = "{60.191.5.128/27, 218.244.45.0/24, 218.244.44.0/24, 219.235.39.0/24, 202.43.217.107, \
    #202.43.217.108, 61.135.128.211, 61.135.128.212, cns.3721.net, cns.3721.com }"
    #block quick on $ext_if from $AdServers3721 to any
    #block quick on $int_if from any to $AdServers3721

    #kuroIPs ="{61.135.156.198/24}"
    #block quick on $ext_if from $kuroIPs to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $kuroIPs

    #SinaAdsIPs = "{ad2.sina.com.cn, ad3.sina.com.cn, ad4.sina.com.cn, 101.adsina.allyes.com}"
    #block quick on $ext_if from $SinaAdsIPs to any
    #block quick on $int_if from any to $SinaAdsIPs

    #NeteasePopoIPs="{202.108.42.183, 202.108.42.170, 202.108.42.173, 202.108.42.175, 202.108.42.174}"
    #PopoDenyClients="{192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24, 192.168.7.0/24}"
    #block quick on $ext_if from $NeteasePopoIPs to $PopoDenyClients
    #block quick on $int_if from $PopoDenyClients to $NeteasePopoIPs

    #NeteasePaopaotangIPs="{61.172.247.86, 61.172.249.243, 218.80.109.159, 61.147.251.58, 61.187.207.245, \
    #61.242.158.167, 61.152.97.147, 61.172.254.142, 61.172.249.242, 210.51.29.24/24, 211.152.178.73, \
    #218.6.246.68, 218.77.10.135, 218.64.68.51, 218.65.0.218, 221.12.10.42}"
    #block quick on $ext_if from $NeteasePaopaotangIPs to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $NeteasePaopaotangIPs

    #jlonline="{61.177.56.251, 61.132.74.81, 61.132.74.244, 61.152.93.145}"
    #block quick on $ext_if from $jlonline to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $jlonline

    #ourgame="{202.108.36.77, 218.30.70.76, 61.151.253.182, 218.25.253.163, 61.183.254.69}"
    #block quick on $ext_if from $ourgame to $GameDenyClients
    #block quick on $int_if from $GameDenyClients to $ourgame

    #mu="{210.51.27.121/24, 61.129.93.100, 61.129.93.101, 61.129.93.102, 61.129.93.103, \
    #61.129.93.104, 61.129.93.105, 61.129.93.106, 61.129.93.107, 61.129.93.108, 61.129.93.109, 61.129.93.110}"
    #block quick on $ext_if from $mu to 192.168.0.0/20
    #block quick on $int_if from 192.168.0.0/20 to $mu

    #XIPs="{67.19.37.168, 67.19.37.168}"
    #block quick on $ext_if from $XIPs to 192.168.0.0/20
    #block quick on $int_if from 192.168.0.0/20 to $XIPs

    #chinagames = "{61.128.193.113, 61.132.112.196, 61.132.118.35, 61.134.4.243, 61.136.63.65, 61.136.63.66, \
    #61.136.63.68, 61.136.63.71, 61.138.15.105, 61.138.15.112, 61.138.15.114, 61.139.76.86, \
    #61.139.77.110, 61.144.56.30, 61.144.56.34, 61.144.56.7, 61.153.17.8, 61.153.19.101, \
    #61.153.19.102, 61.153.19.120, 61.153.198.198, 61.153.198.199, 61.153.198.200, 61.153.24.134, \
    #61.153.253.28, 61.153.3.114, 61.153.3.12, 61.153.3.124, 61.153.3.125, 61.153.3.20, \
    #61.153.3.218, 61.153.3.89, 61.153.37.199, 61.153.37.222, 61.153.52.183, 61.153.52.184, \
    #61.153.52.185, 61.153.8.188, 61.153.8.50, 61.153.8.51, 61.153.8.53, 61.153.8.54, 61.153.8.55, \
    #61.153.8.56, 61.153.85.19, 61.156.12.28, 61.156.17.115, 61.158.97.35, 61.159.229.21, \
    #61.166.155.166, 61.180.119.10, 61.241.130.59, 61.241.130.60, 61.243.222.25, 61.243.222.26, \
    #61.243.222.27, 61.243.222.28, 61.243.232.20, 202.100.218.15, 202.101.10.119, 202.101.165.0/24, \
    #202.101.165.166, 202.101.165.233, 202.101.165.234, 202.101.165.235, 202.101.165.237, 202.101.165.54, \
    #202.101.165.55, 202.101.165.72, 202.102.197.5, 202.102.245.44, 202.102.29.210, 202.103.134.123, \
    #202.103.134.172, 202.103.25.84, 202.106.182.120, 202.106.182.123, 202.106.186.17, 202.107.225.55, \
    #202.107.225.56, 202.107.225.57, 202.107.234.34, 202.107.236.188, 202.107.236.190, 202.107.245.13, \
    #202.107.245.7, 202.108.255.10, 202.108.255.120, 202.108.255.71, 202.108.255.72, 202.108.36.100, \
    #202.108.36.102, 202.108.36.115, 202.108.36.116, 202.108.36.74, 202.108.36.76, 202.108.36.77, \
    #202.108.36.91, 202.108.36.95, 202.108.36.96, 202.108.36.97, 202.113.15.66, 202.96.108.19, \
    #202.96.112.57, 202.96.113.20, 202.96.114.245, 202.96.75.247, 202.97.174.244, 202.97.181.87, \
    #202.98.111.2, 202.98.228.144, 202.98.9.109, 202.99.160.120, 202.99.160.121, 202.99.160.36, \
    #202.99.160.57, 202.99.168.34, 202.99.171.162, 202.99.219.238, 209.10.17.133, 209.73.225.7, \
    #210.51.248.61, 210.52.2.149, 210.52.27.9, 210.52.77.60, 210.76.59.199, 210.78.159.151, \
    #210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
    #210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
    #211.144.9.17, 211.144.9.19, 211.144.9.22, 211.144.9.26, 211.144.9.30, 211.158.10.16, 211.163.117.30, \
    #211.167.148.203, 211.167.98.6, 211.90.184.52, 211.90.241.37, 211.90.241.38, 211.90.241.39, 211.90.241.40, \
    #211.91.13.51, 211.91.13.52, 211.91.135.67, 211.91.2.57, 211.91.255.130, 211.93.24.31, 211.93.64.2, \
    #211.93.64.3, 211.93.64.4, 211.93.64.5, 211.95.129.152, 211.98.149.118, 218.104.136.6, 218.104.136.6, \
    #218.104.45.2, 218.106.206.158, 218.106.241.247, 218.244.44.10, 218.244.46.2, 218.25.230.10, 218.27.190.91, \
    #218.27.4.52, 218.57.200.21, 218.66.101.14, 218.7.160.71, 218.75.79.0/24, 218.75.79.189, 218.75.79.190, \
    #218.95.255.174, 219.133.44.0/24, 219.133.45.0/24, 219.133.46.0/24, 219.133.47.0/24, 219.146.1.208, 220.184.25.54}"
    #block quick on $int_if from $GameDenyClients to $chinagames
    #block quick on $ext_if from $chinagames to $GameDenyClients

    #QQServerIPs = "{202.103.149.40, 202.103.190.61, 202.104.129.151, 202.104.129.242, 202.104.129.246, \
    #202.104.129.251, 202.104.129.252, 202.104.129.253, 202.104.129.254, 202.96.170.163, 202.96.170.164, \
    #202.96.170.165, 202.96.170.166, 202.96.170.175, 202.96.170.188, 211.157.38.38 , 218.17.209.23, \
    #218.17.209.42, 218.17.217.103, 218.17.217.106, 218.18.95.140, 218.18.95.153, 218.18.95.165, \
    #218.18.95.171, 218.18.95.209, 218.18.95.221, 219.133.40.15, 219.133.40.157, 219.133.40.177, \
    #219.133.40.189, 219.133.40.21, 219.133.40.216, 219.133.40.73, 219.133.40.89, 219.133.40.90, \
    #219.133.40.92, 219.133.40.95, 219.133.40.97, 219.133.45.15, 61.135.131.240, 61.141.194.200, \
    #61.141.194.203, 61.141.194.224, 61.141.194.227, 61.141.194.231, 61.144.238.137, 61.144.238.145, \
    #61.144.238.146, 61.144.238.149, 61.144.238.150, 61.144.238.151, 61.144.238.155, 61.144.238.156, \
    #61.172.249.135, 65.54.229.253, 219.133.40.0/24}"
    #QQDenyClients = "{192.168.20.0/24, 192.168.21.0/24}"
    #QQAllowClients = "{192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24}"
    #pass quick on $int_if from $QQAllowClients to $QQServerIPs
    #pass quick on $ext_if from $QQServerIPs to $QQAllowClients
    #block quick on $int_if from $QQDenyClients to $QQServerIPs
    #block quick on $ext_if from $QQServerIPs to $QQDenyClients

    #pass quick on $int_if inet proto tcp from $QQAllowClients port $QQports to $QQServerIPs port 443
    #pass quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQAllowClients port $QQports
    #block quick on $int_if inet proto tcp from $QQDenyClients port $QQports to $QQServerIPs port 443
    #block quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQDenyClients port $QQports


    # allow outgoing but block incomming ping/icmp-echo requests
    pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
    pass out on $edu_if inet proto icmp all icmp-type 8 code 0 keep state
    #block in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

    # pass out all UDP connections and keep state
    pass out on $ext_if proto udp all keep state
    pass out on $edu_if proto udp all keep state

    # pass in certain UDP connections and keep state (DNS)
    pass in on $ext_if proto udp from any to any port = domain keep state
    pass in on $int_if proto udp from any to any port = domain keep state
    pass in on $loop proto udp from any to any port = domain keep state
    pass out on $ext_if proto udp from any to any port = domain keep state
    pass out on $int_if proto udp from any to any port = domain keep state
    pass out on $loop proto udp from any to any port = domain keep state

    # pass out all TCP connections and modulate state
    pass out on $ext_if proto tcp all modulate state
    pass out on $edu_if proto tcp all modulate state

    pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx
    pass in on $edu_if inet proto tcp from any to ($edu_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx

    pass in on $ext_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e
    pass in on $edu_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e

    pass in inet proto icmp all icmp-type $icmp_types keep state # ÔÊÔS icmp ·â°üßMÈëͨÐÐ
    pass in on $int_if from $intnet to any keep state # ÔÊÔS·â°üÓÉ de0 ßMµ½ 10.10.10.0/24 •³Í¨
    pass out on $int_if from any to $intnet keep state # ÔÊÔS·â°üÓÉ de0 ³öÈ¥ 10.10.10.0/24 •³Í¨

    pass out on $ext_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥
    pass out on $edu_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥

    pass out on $ext_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥
    pass out on $edu_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥

    pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
    pass in on $int_if proto tcp from any to $int_if port 22 keep state
    #pass in on $edu_if proto tcp from any to $edu_if port 22 keep state

    pass in on $ext_if proto tcp from any to $ext_if port 88 keep state
    #pass in on $edu_if proto tcp from any to $edu_if port 88 keep state

    pass in on $int_if proto tcp from any to $loop port 8021 keep state
    pass in on $int_if proto tcp from any to $int_if port 8021 keep state

    pass in on $int_if inet proto tcp from any to $routerip port 3128 keep state

    radminServerIPs = "{192.168.0.3, 192.168.0.185, 192.168.0.253}"
    pass in on $ext_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state
    pass in on $edu_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state

    pass in on $ext_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state
    pass in on $edu_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state

    pass in all
  • 相关阅读:
    WPF DelegateCommand 出现Specified cast is not valid
    WPF DelegateCommand 出现Specified cast is not valid
    WPF DelegateCommand 出现Specified cast is not valid
    win10 sdk 是否向下兼容
    win10 sdk 是否向下兼容
    win10 sdk 是否向下兼容
    PHP extract() 函数
    PHP end() 函数
    PHP each() 函数
    PHP current() 函数
  • 原文地址:https://www.cnblogs.com/studio313/p/592797.html
Copyright © 2011-2022 走看看