FreeBSD 上设置 PF 防火墙

PF 是包过滤器packet filter的简称。它是为 OpenBSD 开发的，但是已经被移植到了 FreeBSD 以及其它操作系统上。PF 是一个包状态过滤引擎。在这篇教程中，我将向你展示如何在 FreeBSD 10.x 以及 11.x 中设置 PF 防火墙，从而来保护 web 服务器。

第一步：开启 PF 防火墙
你需要把下面这几行内容添加到文件 /etc/rc.conf 文件中：

1. #echo’pf_enable=“YES”’>>/etc/rc.conf
2. #echo’pf_rules="/usr/local/etc/pf.conf"’>>/etc/rc.conf
3. #echo’pflog_enable=“YES”’>>/etc/rc.conf
4. #echo’pflog_logfile="/var/log/pflog"’>>/etc/rc.conf
   在这里：
5. pf_enable=“YES” - 开启 PF 服务
6. pf_rules="/usr/local/etc/pf.conf" - 从文件 /usr/local/etc/pf.conf 中读取 PF 规则
7. pflog_enable=“YES” - 为 PF 服务打开日志支持
8. pflog_logfile="/var/log/pflog" - 存储日志的文件，即日志存于文件 /var/log/pflog 中

第二步：在 /usr/local/etc/pf.conf 文件中创建防火墙规则
输入下面这个命令打开文件（超级用户模式下）：

1. #vi/usr/local/etc/pf.conf
   在文件中添加下面这些 PF 规则集：
2. #vim:set ft=pf

3. /usr/local/etc/pf.conf

4. ##设置公共端口##
5. ext_if=“vtnet0”
6. ##设置服务器公共 IP 地址##
7. ext_if_ip=“172.xxx.yyy.zzz”
8. ##设置并删除下面这些公共端口上的 IP 范围##
9. martians ="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10. 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
11. 0.0.0.0/8, 240.0.0.0/4 }"
12. ##设置 http(80)/https (443)端口##
13. webports ="{http, https}"
14. ##启用下面这些服务##
15. int_tcp_services ="{domain, ntp, smtp, www, https, ftp, ssh}"
16. int_udp_services ="{domain, ntp}"
17. ##跳过回环端口-跳过端口上的所有 PF 处理##
18. set skip on lo
19. ##设置 PF 应该统计的端口信息，如发送/接收字节数，通过/禁止的包的数目##
20. set loginterface $ext_if
21. ##设置默认策略##
22. block returnin log all
23. block out all
24. #基于 IP 分片的错误处理来防御攻击
25. scrub in all
26. #删除所有不可达路由地址
27. block drop in quick on $ext_if from $martians to any
28. block drop out quick on $ext_if from any to $martians
29. ##禁止欺骗包
30. antispoof quick for $ext_if
31. #打开 SSH 端口，SSH 服务仅从 VPN IP 139.xx.yy.zz 监听22号端口
32. #出于安全原因，我不允许/接收 SSH 流量
33. passin quick on $ext_if inet proto tcp from139.xxx.yyy.zzz to $ext_if_ip port =ssh flags S/SA keep state label “USER_RULE: Allow SSH from 139.xxx.yyy.zzz”
34. ##使用下面这些规则来为所有来自任何 IP 地址的用户开启 SSH 服务#
35. ##passin inet proto tcp to $ext_if port ssh

36. [ OR ]

37. ##passin inet proto tcp to $ext_if port 22
38. #AllowPing-Pong stuff.Be a good sysadmin
39. pass inet proto icmp icmp-type echoreq
40. #All access to ourNginx/Apache/LighttpdWebserver ports
41. pass proto tcp from any to $ext_if port $webports
42. #允许重要的发送流量
43. pass out quick on $ext_if proto tcp to any port $int_tcp_services
44. pass out quick on $ext_if proto udp to any port $int_udp_services
45. #在下面添加自定义规则
    保存并关闭文件。欢迎来参考我的规则集。如果要检查语法错误，可以运行：

46. service pf check

或

1. /etc/rc.d/pf check
   或

2. pfctl -n -f /usr/local/etc/pf.conf

第三步：开始运行 PF 防火墙
命令如下。请小心，如果是基于 SSH 的会话，你可能会和服务器断开连接。

开启 PF 防火墙：

1. service pf start

停用 PF 防火墙：

1. service pf stop

检查语法错误：

1. service pf check

重启服务：

1. service pf restart

查看 PF 状态：

1. service pf status

示例输出：

1. Status:Enabledfor0 days 00:02:18Debug:Urgent
2. InterfaceStatsfor vtnet0 IPv4IPv6
3. BytesIn194630
4. BytesOut185410
5. PacketsIn
6. Passed2440
7. Blocked30
8. PacketsOut
9. Passed1360
10. Blocked120
11. StateTableTotalRate
12. current entries 1
13. searches 3952.9/s
14. inserts 40.0/s
15. removals 30.0/s
16. Counters
17. match 190.1/s
18. bad-offset 00.0/s
19. fragment 00.0/s
20. short00.0/s
21. normalize 00.0/s
22. memory 00.0/s
23. bad-timestamp 00.0/s
24. congestion 00.0/s
25. ip-option 00.0/s
26. proto-cksum 00.0/s
27. state-mismatch 00.0/s
28. state-insert 00.0/s
29. state-limit 00.0/s
30. src-limit 00.0/s
31. synproxy 00.0/s
32. map-failed 00.0/s

开启/关闭/重启 pflog 服务的命令
输入下面这些命令：

1. service pflog start

2. service pflog stop

3. service pflog restart

第四步：pfctl 命令的简单介绍
你需要使用 pfctl 命令来查看 PF 规则集和参数配置，包括来自包过滤器packet filter的状态信息。让我们来看一下所有常见命令：

显示 PF 规则信息

1. pfctl -s rules

示例输出：

1. block returnin log all
2. block drop out all
3. block drop in quick on ! vtnet0 inet from172.xxx.yyy.zzz/24 to any
4. block drop in quick inet from172.xxx.yyy.zzz/24 to any
5. passin quick on vtnet0 inet proto tcp from139.aaa.ccc.ddd to 172.xxx.yyy.zzz/24 port =ssh flags S/SA keep state label “USER_RULE: Allow SSH from 139.aaa.ccc.ddd”
6. pass inet proto icmp all icmp-type echoreq keep state
7. pass out quick on vtnet0 proto tcp from any to any port = domain flags S/SA keep state
8. pass out quick on vtnet0 proto tcp from any to any port = ntp flags S/SA keep state
9. pass out quick on vtnet0 proto tcp from any to any port = smtp flags S/SA keep state
10. pass out quick on vtnet0 proto tcp from any to any port = http flags S/SA keep state
11. pass out quick on vtnet0 proto tcp from any to any port = https flags S/SA keep state
12. pass out quick on vtnet0 proto tcp from any to any port = ftp flags S/SA keep state
13. pass out quick on vtnet0 proto tcp from any to any port =ssh flags S/SA keep state
14. pass out quick on vtnet0 proto udp from any to any port = domain keep state
15. pass out quick on vtnet0 proto udp from any to any port = ntp keep state

显示每条规则的详细内容

1. pfctl -v -s rules

在每条规则的详细输出中添加规则编号：

1. pfctl -vvsr show

显示状态信息

1. pfctl -s state

2. pfctl -s state |more

3. pfctl -s state |grep’something’

如何在命令行中禁止 PF 服务

1. pfctl -d

如何在命令行中启用 PF 服务

1. pfctl -e

如何在命令行中刷新 PF 规则/NAT/路由表

1. pfctl -F all

示例输出：

1. rules cleared
2. nat cleared
3. 0 tables deleted.
4. 2 states cleared
5. source tracking entries cleared
6. pf: statistics cleared
7. pf:interface flags reset

如何在命令行中仅刷新 PF 规则

1. pfctl -F rules

如何在命令行中仅刷新队列

1. pfctl -F queue

如何在命令行中刷新统计信息（它不是任何规则的一部分）

1. pfctl -F info

如何在命令行中清除所有计数器

1. pfctl -z clear

第五步：查看 PF 日志
PF 日志是二进制格式的。使用下面这一命令来查看：

1. #tcpdump-n -e -ttt -r /var/log/pflog
   示例输出：
2. Aug2915:41:11.757829 rule 0/(match) block in on vio0:86.47.225.151.55806>45.FOO.BAR.IP.23: S 757158343:757158343(0) win 52206[tos 0x28]
3. Aug2915:41:44.193309 rule 0/(match) block in on vio0:5.196.83.88.25461>45.FOO.BAR.IP.26941: S 2224505792:2224505792(0) ack 4252565505 win 17520(DF)[tos 0x24]
4. Aug2915:41:54.628027 rule 0/(match) block in on vio0:45.55.13.94.50217>45.FOO.BAR.IP.465: S 3941123632:3941123632(0) win 65535
5. Aug2915:42:11.126427 rule 0/(match) block in on vio0:87.250.224.127.59862>45.FOO.BAR.IP.80: S 248176545:248176545(0) win 28200(DF)
6. Aug2915:43:04.953537 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.7475: S 1164335542:1164335542(0) win 1024
7. Aug2915:43:05.122156 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.7475: R 1164335543:1164335543(0) win 1200
8. Aug2915:43:37.302410 rule 0/(match) block in on vio0:94.130.12.27.18080>45.FOO.BAR.IP.64857: S 683904905:683904905(0) ack 4000841729 win 16384
9. Aug2915:44:46.574863 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.7677: S 3451987887:3451987887(0) win 1024
10. Aug2915:44:46.819754 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.7677: R 3451987888:3451987888(0) win 1200
11. Aug2915:45:21.194752 rule 0/(match) block in on vio0:185.40.4.130.55910>45.FOO.BAR.IP.80: S 3106068642:3106068642(0) win 1024
12. Aug2915:45:32.999219 rule 0/(match) block in on vio0:185.40.4.130.55910>45.FOO.BAR.IP.808: S 322591763:322591763(0) win 1024
13. Aug2915:46:30.157884 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6511: S 2412580953:2412580953(0) win 1024[tos 0x28]
14. Aug2915:46:30.252023 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6511: R 2412580954:2412580954(0) win 1200[tos 0x28]
15. Aug2915:49:44.337015 rule 0/(match) block in on vio0:189.219.226.213.22640>45.FOO.BAR.IP.23: S 14807:14807(0) win 14600[tos 0x28]
16. Aug2915:49:55.161572 rule 0/(match) block in on vio0:5.196.83.88.25461>45.FOO.BAR.IP.40321: S 1297217585:1297217585(0) ack 1051525121 win 17520(DF)[tos 0x24]
17. Aug2915:49:59.735391 rule 0/(match) block in on vio0:36.7.147.209.2545>45.FOO.BAR.IP.3389: SWE 3577047469:3577047469(0) win 8192(DF)[tos 0x2(E)]
18. Aug2915:50:00.703229 rule 0/(match) block in on vio0:36.7.147.209.2546>45.FOO.BAR.IP.3389: SWE 1539382950:1539382950(0) win 8192(DF)[tos 0x2(E)]
19. Aug2915:51:33.880334 rule 0/(match) block in on vio0:45.55.22.21.53510>45.FOO.BAR.IP.2362: udp 14
20. Aug2915:51:34.006656 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6491: S 151489102:151489102(0) win 1024[tos 0x28]
21. Aug2915:51:34.274654 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6491: R 151489103:151489103(0) win 1200[tos 0x28]
22. Aug2915:51:36.393019 rule 0/(match) block in on vio0:60.191.38.78.4249>45.FOO.BAR.IP.8000: S 3746478095:3746478095(0) win 29200(DF)
23. Aug2915:51:57.213051 rule 0/(match) block in on vio0:24.137.245.138.7343>45.FOO.BAR.IP.5358: S 14134:14134(0) win 14600
24. Aug2915:52:37.852219 rule 0/(match) block in on vio0:122.226.185.125.51128>45.FOO.BAR.IP.23: S 1715745381:1715745381(0) win 5840(DF)
25. Aug2915:53:31.309325 rule 0/(match) block in on vio0:189.218.148.69.377>45.FOO.BAR.IP5358: S 65340:65340(0) win 14600[tos 0x28]
26. Aug2915:53:31.809570 rule 0/(match) block in on vio0:13.93.104.140.53184>45.FOO.BAR.IP.1433: S 39854048:39854048(0) win 1024
27. Aug2915:53:32.138231 rule 0/(match) block in on vio0:13.93.104.140.53184>45.FOO.BAR.IP.1433: R 39854049:39854049(0) win 1200
28. Aug2915:53:41.459088 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6028: S 168338703:168338703(0) win 1024
29. Aug2915:53:41.789732 rule 0/(match) block in on vio0:77.72.82.22.47218>45.FOO.BAR.IP.6028: R 168338704:168338704(0) win 1200
30. Aug2915:54:34.993594 rule 0/(match) block in on vio0:212.47.234.50.5102>45.FOO.BAR.IP.5060: udp 408(DF)[tos 0x28]
31. Aug2915:54:57.987449 rule 0/(match) block in on vio0:51.15.69.145.5100>45.FOO.BAR.IP.5060: udp 406(DF)[tos 0x28]
32. Aug2915:55:07.001743 rule 0/(match) block in on vio0:190.83.174.214.58863>45.FOO.BAR.IP.23: S 757158343:757158343(0) win 27420
33. Aug2915:55:51.269549 rule 0/(match) block in on vio0:142.217.201.69.26112>45.FOO.BAR.IP.22: S 757158343:757158343(0) win 22840
34. Aug2915:58:41.346028 rule 0/(match) block in on vio0:169.1.29.111.29765>45.FOO.BAR.IP.23: S 757158343:757158343(0) win 28509
35. Aug2915:59:11.575927 rule 0/(match) block in on vio0:187.160.235.162.32427>45.FOO.BAR.IP.5358: S 22445:22445(0) win 14600[tos 0x28]
36. Aug2915:59:37.826598 rule 0/(match) block in on vio0:94.74.81.97.54656>45.FOO.BAR.IP.3128: S 2720157526:2720157526(0) win 1024[tos 0x28]stateful
37. Aug2915:59:37.991171 rule 0/(match) block in on vio0:94.74.81.97.54656>45.FOO.BAR.IP.3128: R 2720157527:2720157527(0) win 1200[tos 0x28]
38. Aug2916:01:36.990050 rule 0/(match) block in on vio0:182.18.8.28.23299>45.FOO.BAR.IP.445: S 1510146048:1510146048(0) win 16384
    如果要查看实时日志，可以运行：
39. #tcpdump-n -e -ttt -i pflog0
    如果你想了解更多信息，可以访问 PF FAQ 和 FreeBSD HANDBOOK 以及下面这些 man 页面：
40. #mantcpdump
41. #man pfctl
42. #man pf