我正在尝试构建一个简单的 pf.conf,其中包括允许所有系统通过选定的一系列端口将流量传出网络的 NAT。在我的基本配置中,我有一个内部服务器,它托管 HTTP/HTTPS,可通过 NATed IP 从外部访问。从内部,我只希望客户端通过 DNS/HTTP/HTTPS 离开网络。
int_if="eth0"
ext_if="eth1"
localnet=$int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)
comp1="172.16.0.1"
rdr on $ext_if proto tcp from any -> $comp1 port http
rdr on $ext_if proto tcp from any -> $comp1 port https
client_out_tcp = "{ http, https}"
client_out_udp = "{ 53 }"
pass inet proto tcp from $localnet to port $client_out_tcp
pass inet proto tcp from $localnet to port $client_out_udp
通过这种配置,我的服务器可以按照我设计的正确端口进行连接,但无论如何,我的客户端始终可以离开网络。
答案1
默认操作是经过如果没有规则匹配,则丢弃该数据包。
如果你不想这样,第一个数据包过滤规则应该是
block all
如果您想要控制传出的流量,您应该这样指定:
# Block by default. (pass rules should follow later).
block out log on $ext_if all label "outblock"
# What to pass
client_out_tcp = "{ http, https}"
client_out_udp = "{ 53 }"
pass out inet proto tcp from $localnet to port $client_out_tcp
pass out inet proto tcp from $localnet to port $client_out_udp