网上找的一个pf规则

########################################################
ext_if = "msk0"
int_if = "fxp0"
loop_if = "lo0"
int_net = "{ 172.16.0.0/16 }"      
ssh_nets = "{ ×××××/32 }"

# 不被路由的地址
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 10.0.0.0/8, 255.255.255.255/32 }"

# 封端口
deny_tcpport = "{ 135,137,138,139,445,554,593,1024><1030,1068,1080,1214,1363,1364,1368,1373,1433,1434,2000,2283,2535,2745,3120><3130,3140,3318,4242,4444,5554,4662,4661,6880><6889,6969,7000,8880><8899,9898,10000,10080,12345,16881,17300,27347,65506 }"
deny_udpport= "{ 13000><14000 }"

# 限制有病毒的机器
table <badip> persist

#######################################################################
### 选项 ###
#######################################################################
# 快速断开非活动状态的连接 - 减少内存消耗
#须放在set timeout之前,否则会导致timeout不生效
set optimization aggressive

# DSL连接的统计数据(pfctl -s info)
set loginterface $ext_if

#block的默认规则是drop,不再返回任何回应数据包,节省资源
set block-policy drop

# IP碎片重组
scrub in all

#########################################################################
### NAT 和转发 ###
#######################################################################

# 激活NAT
nat on $ext_if from $int_net to any -> $ext_if

#######################################################################
### 过滤规则 ###
#######################################################################
# 先是总的原则:挡住所有进入的数据包,出去的不管
block in on $ext_if all

block in quick from <badip>
pass in quick on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
(max 50000, source-track rule, max-src-nodes 1000,max-src-states 50 \
max-src-conn 50, max-src-conn-rate 15/3, overload <batip> flush global)

# Loopback
pass in quick on $loop_if all
pass out quick on $loop_if all

block in quick on $ext_if proto tcp all flags SF/SFRA
block in quick on $ext_if proto tcp all flags SFUP/SFRAU
block in quick on $ext_if proto tcp all flags FPU/SFRAUP
block in quick on $ext_if proto tcp all flags /SFRA
block in quick on $ext_if proto tcp all flags F/SFRA
block in quick on $ext_if proto tcp all flags U/SFRAU

# 封端口
block in quick on $ext_if inet proto tcp from any to any port $deny_tcpport
block in quick on $ext_if inet proto udp from any to any port $deny_udpport

# 防止IP欺骗
block in log quick on $ext_if inet from $NoRoute to any

# ssh
pass in quick on $ext_if inet proto tcp from $ssh_nets to any port 22 flags S/SA keep state
block in quick on $ext_if inet proto tcp from any to any port 22

pass out quick on $ext_if inet proto { tcp, udp, icmp } all keep state
###############

你可能感兴趣的:(#Freebsd)