インストール
最近のFreeBSDには標準で組み込まれていますのでパッケージ等は不要です。
/etc/rc.conf で有効にします。
pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES"
access: 181442
最近のFreeBSDには標準で組み込まれていますのでパッケージ等は不要です。
/etc/rc.conf で有効にします。
pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES"
フィルタの設定を /etc/pf.conf に記載します。
# macros
int_if = "{ re1, tun0, tun10 }"
nat_if = "ng0"
ext_if = "ng0"
lo_if = "lo0"
### 1194:openvpn
tcp_services = "{ \
1194, ssh, smtp, submission, http, domain, \
ntp , pptp, l2tp, imap, imaps, pop3, auth, \
https, sip, sip-tls \
}"
udp_services = "{ 1194, domain, ntp }"
netbios_ports = "{ 135, 137, 138, 139, 445, 1433 }"
icmp_in_types = "{echoreq, unreach, squench, timex}"
icmp_out_types = "{echorep, unreach, squench, timex}"
table <no_inet_addr> const { \
127.0.0.0/8, 169.254.0.0/16, \
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, \
169.254/16, 192.0.0/24, 192.0.2/24, \
198.18/15, 223.255.255/24, 224/4, 240/4 \
}
table <in_net> { 10.0.0.0/16 }
# options
set block-policy return
# scrub
scrub in all
scrub out all random-id max-mss 1414
#############################################################
# nat/rdr
nat on $nat_if from <in_net> to any -> ($nat_if)
#############################################################
# filter rules
####################
# local network #
####################
block log all
pass quick on $lo_if all
pass quick on $int_if from <in_net> to any
block drop in log quick on $ext_if from <no_inet_addr> to any
block drop out log quick on $ext_if from any to <no_inet_addr>
# IDENT (port 113)
block log quick inet proto tcp from any to any port = ident
pass in quick on $ext_if inet proto tcp from any to any \
port $tcp_services flags S/SA modulate state
pass in quick on $ext_if inet proto udp from any to any \
port $udp_services keep state
pass in quick on $ext_if inet proto tcp from any to any \
port 49152 >< 65535 flags S/SA modulate state
# multicast address (for OSPF)
pass in quick from any to 224.0.0.0/8 allow-opts
pass out quick from any to 224.0.0.0/8 allow-opts
# ICMP
pass in quick inet proto icmp all icmp-type $icmp_in_types keep state
pass out quick inet proto icmp all icmp-type $icmp_out_types
# outgoing
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto {udp, icmp} all keep state
# pfctl -f /etc/pf.rules