macOS Sierra 上的 PF 阻止了一些本地网络流量,从而允许其他

tag-icon tag-icon networking macos pf
macOS Sierra 上的 PF 阻止了一些本地网络流量,从而允许其他

我的 Mac Mini 2012 上运行着 pf,系统为 OSX 10.12.2。除了一些奇怪的情况。我可以与无线网络打印机通信,但无法通过以太网与 HP 2015 通信。互联网很好。似乎只是本地网络。

如果我通过其 Internet 接口地址和端口转发访问它,我可以通过 Microsoft 远程桌面与办公室的另一台 Windows 笔记本电脑通话。但是……我无法通过本地以太网与它通话。我显然在 pf 规则集中遗漏了某些内容,但是什么呢?

我知道这是 PF,因为如果我禁用 pfsudo pfctl-d,突然我又可以和他们所有人交谈了。或者这两个服务都是 UDP?

这是 pf.conf 规则集 # # com.apple 锚点 # set skip on lo0

#not sure about these two
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"


scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#


antispoof for en0 inet
antispoof for en0 inet6

antispoof for en1 inet
antispoof for en1 inet6

anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block return in log quick on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any

block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}

# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
#
pass in proto tcp from any to any port 3389
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112
#
pass in proto tcp from any to any port 8000
pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023

table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/5, \
     overload <bruteforce> flush global)

答案1

我找到了答案。我想我补充了

pass in  on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1    to 192.168.0.0/24
pass in  on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1    to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.
pass in  on $int_if from $lan_net
pass out on $int_if to   $lan_net

答案2

我的最终 pf.conf 文件如下。有几个注释选项我会回头再看。第一个是 antispoof,如果设置了,会阻止我连接到路由器 Web 界面吗?最后一个是 int_if 集,我只需要定义它们。总有一天。

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
set loginterface en1
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
#Only set antispoof on interfaces with an IP address. Otherwise
# you will block all traffic.
set skip on lo0


#antispoof for en1 inet
#antispoof for en1 inet6

#antispoof for en0 inet
#antispoof for en0 inet6

#

# com.apple anchor point
#
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

anchor "emerging-threats"
load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2"
block on en1 from <badhosts> to any
block on en0 from <badhosts> to any
block return in log quick on en1 from <badhosts> to any

block return in log quick proto tcp from 174.46.142.137 to any port {25,465,587}
block return in log quick proto tcp from 115.160.167.46 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.80 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.99 to any port {25,465,587}
block return in log quick proto tcp from 185.64.106.87 to any port {25,465,587}
block return in log quick proto tcp from 69.165.77.42 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.61 to any port {25,465,587}
block return in log quick proto tcp from 191.96.249.26 to any port {25,465,587}
block return in log quick proto tcp from 191.96.0.0/24 to any

# Open port 465 for TCP on all interfaces
pass in proto tcp from any to any port 21
pass in proto tcp from any to any port 22
pass in proto tcp from any to any port 23
pass in proto tcp from any to any port 25
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
pass in proto tcp from any to any port 110
pass in proto tcp from any to any port 143
pass in proto tcp from any to any port 194
pass in proto tcp from any to any port 389
pass in proto tcp from any to any port 443
pass in proto tcp from any to any port 445
pass in proto tcp from any to any port 465
pass in proto tcp from any to any port 587
pass in proto tcp from any to any port 993
pass in proto tcp from any to any port 5900
pass in proto tcp from any to any port 6112

pass in proto udp from any to any port 6277
pass in proto udp from any to any port 1023
#
pass in proto tcp from any to any port 8000


table <bruteforce> persist
block quick from <bruteforce>
pass in inet proto tcp to any port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/5, \
     overload <bruteforce> flush global)

pass in  on en0 from 192.168.0.0/24 to 192.168.0.1
pass out on en0 from 192.168.0.1    to 192.168.0.0/24
pass in  on en1 from 192.168.0.0/24 to 192.168.0.1
pass out on en1 from 192.168.0.1    to 192.168.0.0/24
# pass all traffic to and from the local network.
# these rules will create state entries due to the default
# "keep state" option which will automatically be applied.

相关内容