我想阻止特定端口的所有传入流量,并将这些被阻止数据包的源 IP 放入表中...我不知道 pf.conf 解决方案,我想我会使用另一种技巧,但我真的不知道是哪种!也许通过使用脚本监听来自特定 pflog 接口的 tcp 转储,该脚本接收有关这些被阻止数据包的日志并将 IP 报告给 pfctl add-to-table 命令..?有没有更轻量级的方式来实现它?
答案1
我在我的服务器上使用这种配置,基本上我有一个包含受信任 IP 的表和一个包含尝试在 SSH 上进行暴力破解的 IP 的表(在向全世界开放的情况下很少见)。
在 /etc/trusted 中创建一个新文件并输入您自己的 IP 地址(每行一个)。
打开/创建 /etc/firewall 并输入您的规则(即 HTTP/S、SSH):
#######################################################################
me="vtnet0"
table <bruteforcers> persist
table <trusted> persist file "/etc/trusted"
icmp_types = "echoreq"
junk_ports="{ 135,137,138,139,445,68,67,3222 }"
junk_ip="224.0.0.0/4"
set loginterface vtnet0
scrub on vtnet0 reassemble tcp no-df random-id
# ---- First rule obligatory "Pass all on loopback"
pass quick on lo0 all
# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip
block quick proto { tcp, udp } from any to any port $junk_ports
# ---- Second rule "Block all in and pass all out"
block in log all
pass out all keep state
############### FIREWALL ###############################################
# ---- Allow all traffic from my office
pass quick proto {tcp, udp} from 1.2.3.4 to $me keep state
# ---- Allow incoming Web traffic
pass quick proto tcp from any to $me port { 80, 443 } flags S/SA keep state
# ---- Block bruteforcers
block log quick from <bruteforcers>
# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)
# ---- Allow ICMP
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state
更新你的 /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/firewall"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
查看暴力破解者表中是否有人:
pfctl -t bruteforcers -T show