Реально работающий конфиг Packet Filter pf.conf

Нашел на просторах интернета вот этот суперский конфиг пакетного фитра pf. Очень меня спас и сэкономил время! Делюсь.

#
# pf.conf by ross at daemon-notes.com
# v2.6
#
# Interfaces
ext_if="re0"
int_if="re1"
# Ports open to internet
ext_tcp_ports="{ ssh, domain, smtp, smtps, submission, imaps, www }"
ext_udp_ports="{ domain }"
# NATed ports
nat_tcp_ports="{ ssh, >= 1024 }"
nat_udp_ports="{ >= 1024 }"
# External interface bandwidth
ext_bw="30Mb"
# High priority traffic server ports
high_ports="{ www }"
# Top priority traffic server ports (icmp traffic is already here)
top_ports="{ ssh, domain }"
# States.
mod_state="flags S/SA modulate state"
syn_state="flags S/SA synproxy state"
# Stateful Tracking Options.
# To clear <blocked_hosts> add to root's crontab:
# * * * * * /sbin/pfctl -t blocked_hosts -T expire 600 > /dev/null 2>&1
# This will block bad hosts for 10-11 minutes
sto_ext_ports="(max-src-conn-rate 500/10, overload <blocked_hosts> flush global)"
sto_nat_ports="(max-src-conn-rate 100/1)"
#
# Tables
#
# create or touch /etc/pf.abusers
table <abusers> persist file "/etc/pf.abusers"
table <ossec_fwtable> persist
table <blocked_hosts> persist
# http://en.wikipedia.org/wiki/Reserved_IP_addresses
table <blocked_nets> { 0.0.0.0/8, \
10.0.0.0/8, \
127.0.0.1/8, \
169.254.0.0/16, \
172.16.0.0/12, \
192.0.2.0/24, \
192.88.99.0/24, \
192.168.0.0/16, \
198.18.0.0/15, \
198.51.100.0/24, \
203.0.113.0/24, \
224.0.0.0/4, \
240.0.0.0/4 }
#
# Options
#
set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound
#
# Traffic normalization
#
scrub in all no-df min-ttl 100 max-mss 1440 fragment reassemble
#
# Queueing
#
altq on $ext_if cbq bandwidth $ext_bw queue { normal, high, top }
queue normal bandwidth 40% priority 1 cbq(default borrow)
queue high   bandwidth 50% priority 5 cbq(borrow ecn)
queue top    bandwidth 10% priority 7 cbq(borrow)
#
# Translation
#
#rdr pass on $ext_if proto { tcp, udp } from any to port 6881:6889 -> 192.168.10.10
#rdr pass on $ext_if proto { tcp, udp } from any to port 59683 -> 192.168.10.10
nat on $ext_if from $int_if:network to any -> ($ext_if)
#
# Packet Filtering
#
# Block invalid packets
block in log quick on $ext_if from no-route
block in log quick on $ext_if from urpf-failed
# Incoming traffic on $ext_if
block drop in on $ext_if all
# Allow ICMP pings and traffic to open ports
pass in on $ext_if inet proto icmp to ($ext_if) icmp-type 8 code 0 keep state
pass in on $ext_if proto tcp to ($ext_if) port $ext_tcp_ports $syn_state $sto_ext_ports
pass in on $ext_if proto udp to ($ext_if) port $ext_udp_ports keep state $sto_ext_ports
# Check src/dst of packets coming from outside
block in log on $ext_if from <abusers>
block in log on $ext_if from <ossec_fwtable>
block in log on $ext_if from <blocked_hosts>
block in log on $ext_if from <blocked_nets>
block in log on $ext_if to   255.255.255.255
block in log on $ext_if to   !($ext_if)
# Outgoing traffic on $ext_if
pass out on $ext_if keep state queue normal
pass out on $ext_if proto { tcp, udp } from ($ext_if) port $high_ports keep state queue high
pass out on $ext_if proto { tcp, udp } from ($ext_if) port $top_ports keep state queue top
pass out on $ext_if proto icmp all keep state queue top
# Incoming traffic on $int_if
block return in on $int_if all
# Pass packets sent to me on local interface
pass in on $int_if from $int_if:network to ($int_if) keep state
# Allow broadcasts on internal interface
pass in on $int_if proto udp to 255.255.255.255 keep state
pass in on $int_if proto udp to $int_if:broadcast keep state
# Filter LAN ---> Inet traffic
pass in on $int_if proto icmp from $int_if:network to any keep state
pass in on $int_if proto tcp from $int_if:network to any port $nat_tcp_ports $mod_state $sto_nat_ports
pass in on $int_if proto udp from $int_if:network to any port $nat_udp_ports keep state $sto_nat_ports
# Accept LAN ---> My external interface
pass in on $int_if proto tcp from $int_if:network to ($ext_if) $mod_state $sto_nat_ports
pass in on $int_if proto udp from $int_if:network to ($ext_if) keep state $sto_nat_ports
# Outgoing traffic on $int_if
pass out on $int_if all keep state

Источник


Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.

Unlix © Все права защищены 2019

Копирование материалов с сайта Unlix.ru без указания полной ссылки на источник ЗАПРЕЩЕНО!