每次我尝试制定一些合理的pf规则时,我都会失败。需要有人帮助我解决令人费解的语法和机制pf。
这是我的 pf.conf:
1 # The name of our network interface as seen in `ifconfig`
2 ext_if="re0"
3 usb_if="ue0"
4 wlan_if="wlan0"
5 wlan_network = $wlan_if:network
6
7 all_ifs = "{" $ext_if $usb_if $wlan_if "}"
8
9 # Macros to define the set of TCP and UDP ports to open.
10 # Add additional ports or ranges separated by commas.
11 # UDP 60000-60010 is mosh control http://mosh.mit.edu/
12 tcp_services = "{ ssh, http, https, smtp, domain, www, pop3, auth, pop3s }"
13 udp_services = "{ 60000:60010, domain, ntp }"
14
15 # If you block all ICMP requests you will break things like path MTU
16 # discovery. These macros define allowed ICMP types. The additional
17 # ICMPv6 types are for neighbor discovery (RFC 4861)
18 icmp_types = "{echoreq, unreach}"
19 icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"
20
21 # send RST
22 set block-policy return
23
24 # log interface on cable->ISP
25 set loginterface $ext_if
26
27 # Exempt the loopback interface to prevent services utilizing the
28 # local loop from being blocked accidentally.
29 set skip on lo0
30
31 # normalize all incoming traffic
32 scrub in on $ext_if all fragment reassemble
33
34 # block and log everything by default
35 block return log on $ext_if all
36
37 # block anything coming from source we have no back routes for
38 block in from no-route to any
39
40 # block packets whose ingress interface does not match the one in
41 # the route back to their source address
42 block in from urpf-failed to any
43
44 # block and log outgoing packets that do not have our address as source,
45 # they are either spoofed or something is misconfigured (NAT disabled,
46 # for instance), we want to be nice and do not send out garbage.
47 block out log quick on $ext_if from ! 31.41.112.52 to any
48
49 # block and log incoming packets from reserved address space and invalid
50 # addresses, they are either spoofed or misconfigured, we cannot reply to 51 # them anyway (hence, no return-rst).
52 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
53 192.168.0.0/16, 255.255.255.255/32 } to any
54
55 # Enable antispoofing on all interfaces
56 antispoof quick for $all_ifs
57
58 # drop broadcast requests quietly.
59 block in quick on $all_ifs from any to 255.255.255.255
60
61 # ICMP
62
63 # pass out/in certain ICMP queries and keep state (ping)
64 # state matching is done on host addresses and ICMP id (not type/code),
65 # so replies (like 0/0 for 8/0) will match queries
66 # ICMP error messages (which always refer to a TCP/UDP packet) are
67 # handled by the TCP/UDP states
68 pass on $ext_if inet proto icmp all icmp-type 8 code 0
69
70 # UDP
71
72 # pass out all UDP connections and keep state
73 pass out on $ext_if proto udp all
74
75 # pass in certain UDP connections and keep state (DNS)
76 pass in on $ext_if proto udp from any to any port domain
77
78 # TCP
79
80 # pass out all TCP connections and modulate state
81 pass out on $ext_if proto tcp all modulate state
82
83 # pass in certain TCP connections and keep state
84 pass in on $ext_if proto tcp from any to any port $tcp_services
85
86 # IPv6
87 # pass in/out all IPv6 traffic: note that we have to enable this in two
88 # different ways, on both our physical interface and our tunnel
89 pass quick on $ext_if proto ipv6
90
91 # NAT on wi-fi
92 nat on $ext_if from $wlan_network to any -> ($ext_if)
93 pass from ($wlan_network) to any keep state
94
错误是:
/etc/pf.conf:92:无法解析主机规范 pfctl:配置文件中的语法错误:未加载 pf 规则
我有时会将 wifi 加密狗连接到我的笔记本电脑。该设备配置为接入点状态。因此我可以将我的互联网连接从笔记本电脑转移到其他设备。我想要做的是将数据包从本地 wifi 网络传递到外部接口。我为此使用 NAT。当加密狗连接时,一切都很顺利。但大多数时候并非如此。
我的想法是,由于 wifi 适配器没有定期连接,所以没有$wifi_network。因此,存在错误。
我该如何解决这种情况?换句话说,如何pf在我拥有 wifi 网络接口的情况下执行规则?
答案1
我不得不重新格式化我的pf.conf。
只需更改wlan_network为即可wlan_network = "{ 192.168.0.1/24 }"解决错误。NAT规则如下nat on $ext_if from $wlan_network to any -> ($ext_if)。pf现在将网络读取为字符串。并且由于pf仅当从给定地址通过给定接口时才执行规则,因此规则不会在没有wlan0接口的情况下运行。
已通过开启/关闭WI-FI测试上述内容。
答案2
我认为第 92 行也应该有括号,如下所示:
nat on $ext_if from ($wlan_network) …
—参见第 93 行:pass from ($wlan_network) to any keep state