这里有谁熟悉 OSX 下 PF 的使用吗?我使用 PF 是为了强制 MacBook 上的所有流量通过 VPN。为此,我使用了以下 pf.conf:
wifi=en0
wifi2=en1
lan1=en2
lan2=en3
lan3=en4
lan4=en5
lan5=en6
#vpn=tun0
vpn=utun0
#vpn2=tap0
set block-policy return
set skip on {lo0,$vpn}
# Scrub all incoming packets.
scrub in all
block in all
block out all
# Don't allow IPv6 at all. This is sad, but IPredator doesn't support it.
block quick inet6
# Allow DHCP.
# I could probably be more specific than "from any", but didn't find a way to
# specify the link's local network universally. "from $wifi:network" works, but
# "from $ether:network" for example doesn't as long as $ether does not exist.
pass quick on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto udp from any port 67:68
# Allow DNS
pass out quick proto udp to any port 53
# Allow iPredator VPN.
# The destination address specification is a bit loose, but I couldn't get a
# complete list of hosts. Only allowing UDP 1194 should be enough to keep
# possible risks to a minimum.
pass quick proto udp to 46.246.32.0/19 port 1194
#Alllo all incoming and outgoind local traffic
pass in on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto { tcp, udp, icmp } from 192.168.1.0/24 to 192.168.1.0/24
pass out on { $wifi $wifi2 $lan1 $lan2 $lan3 $lan4 $lan5 } proto { tcp, udp, icmp } from 192.168.1.0/24 to 192.168.1.0/24
基本上,防火墙可以正常工作。但是,当我将 MacBook 置于睡眠状态并再次打开它时,整个防火墙都会挂起。即使 VPN 连接仍处于活动状态,也无法连接。在这些情况下,我需要重新启动防火墙(pfctl -e),然后它才能恢复工作。还经常发生 VPN 连接丢失,防火墙阻止所有流量(这是正确的),VPN 会自动重新连接,但防火墙直到我重新启动它才意识到这一点。
这里有没有人遇到过这样的情况?有什么办法可以解决吗?谢谢 Norbert