目前我正在寻找创建一个基于 OpenBSD 6.0 pf 的网关。根据我在 pf 手册页和 OpenBSD pf FAQ 中阅读的内容以及互联网上的一些示例,我能够配置防火墙。但我不确定我是否做对了:
## Macros
wan="WAN interface"
wan_ip="WAN IP address"
lan="LAN interface"
lan_ip="LAN IP address"
lan_nw="LAN network address with subnetmask"
man="management interface"
man_ip="management ip address"
lo="lo0"
## TABLES
table <spammers> persist file "/etc/spammers.txt"
## OPTIONS
set block-policy drop
# debug lvl: none - urgent - misc - loud
set debug none
set limit { frags 2000, states 20000, src-nodes 2000, tables 1000, table-entries 100000 }
set loginterface { $wan, $lan, $man }
set optimization normal
set reassemble yes
set ruleset-optimization none
set skip on $lo
set state-defaults pflow, no-sync
set state-policy if-bound
## TRAFFIC NORMALIZATION
scrub on $wan all reassemble tcp
scrub in on $wan all fragment reassemble max-mss 1440
scrub out on $wan all fragment reassemble random-id no-df
# For NFS
scrub in on $lan all no-df
scrub out on $lan all no-df
antispoof for { $lo, $wan, $lan, $man }
## QUEUEING RULES
## TRANSLATION RULES (NAT)
nat on $wan from $lan_nw to any -> $wan_ip
## FILTER RULES
# Block everything (inbound AND outbound on ALL interfaces) by default (catch-all)
block all
# Block everything comming from and to spam IP's
block in on $wan from <spammers> to any
block out on $wan from any to <spammers>
# Activate spoofing protection for all interfaces
block in on all from urpf-failed
# Default TCP policy
block return-rst in log on $wan proto TCP all
pass in quick on $man proto TCP from any to $man_ip port 22 flags S/FSRA keep state
# Default UDP policy
block in log on $wan proto udp all
# Provide NTP to LAN and mgmt network.
pass in quick on $lan proto UDP from any to $lan_ip port 123
pass in quick on $man proto UDP from any to $man_ip port 123
# Default ICMP policy
block in log on $wan proto icmp all
pass in quick on $wan proto icmp from any to $wan_ip echoreq keep state
block out on $wan all
pass out quick on $wan from $wan_ip to any keep state
这足以创建一个强化网关路由器吗?有人可以查看我的配置并提供一些反馈或指示吗?
答案1
您的第一个清理规则是多余的 —— 您使用接下来的两个规则重复了相同的效果。
制定特定的阻止规则quick,否则它们可能会被后续规则覆盖。(默认是最后提到的操作,除非quick给出,这会在此时有效地打破规则评估)。特别是对于您的初始“阻止”规则,所有未明确匹配的内容都将被阻止,因此您的大多数后续阻止规则都是多余的。
测试时,使用“log”并监控pflog0接口。还可以使用 pfctl 的 show rules ( pfctl -vsr) 的详细模式查看规则的匹配计数,以确保它们确实在起作用。