pf 防火墙服务器配置

tag-icon tag-icon firewall freebsd pf
pf 防火墙服务器配置

我正在尝试为在自定义端口上托管 http、smtp 和 ssh 的服务器配置防火墙。

当我初始化 pf 时,命令行出现错误:

No ALTQ support in kernel

我的 ssh 连接冻结了

配置:

[\u@vader:/root] # cat /home/pf.conf
local_host="108.61.175.20"
table <blockedips> persist file "/etc/blocked_ips.conf"
#interface="vtnet0"
icmp_types="echoreq"
ext_if="vtnet0"
# Custom port for ssh
SSH_CUSTOM = 22222

scrub in on $ext_if all fragment reassemble

set skip on lo0
#set skip on lo1

antispoof for $ext_if

# --- EXTERNAL INTERFACE
# --- INCOMING -------------------------------------------------------------------

# --- TCP
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port http
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port https
pass in  quick on $ext_if inet proto tcp from any to $ext_if  port $SSH_CUSTOM

# --- for authoritative DNS server
#pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain

# --- UDP
# --- for authoritative DNS server
#pass in  quick on $ext_if inet proto udp from any to $ext_if  port domain

# --- ICMP
pass in  quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types

# --- EXTERNAL INTERFACE
# --- OUTGOING --------------------------------------------------------------------

anchor TMP

# --- TCP
pass  out quick log on $ext_if inet proto tcp from $ext_if to any port smtp
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port domain
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port http
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port https
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port whois
pass  out quick     on $ext_if inet proto tcp from $ext_if to any port $SSH_CUSTOM

# --- UDP
pass  out quick on $ext_if inet proto udp from $ext_if to any port domain
pass  out quick on $ext_if inet proto udp from $ext_if to any port ntp

# --- ICMP
pass  out quick on $ext_if inet proto icmp  from $ext_if to any

# ------------------------------------------------------
# --- DEFAULT POLICY
# ------------------------------------------------------
block log all

# ----- end of pf.conf

如何配置基本服务器 pf fw 以允许入站 www、smtp 和自定义 ssh 端口流量?我需要一个阻止表,类似于配置中的阻止表。

答案1

这个消息很正常,因为 ALTQ 没有编译到 FreeBSD 内核中。除非你需要使用 ALTQ,否则这无关紧要。

防火墙启动会中断所有当前连接,包括您的 ssh 会话,它会停止响应。只需打开另一个终端并重新登录即可。原始会话最终将超时。

最好设置一个 cron 作业,在大约十分钟后关闭 PF,这样如果您输入错了,就可以重新登录,直到您确定设置正确为止。

相关内容