作業日記@HatenaBlog

各種の作業メモ

pf.conf の記述

pf.conf

/etc/pf.conf を設定する。
外部公開サーバが 2 つあるので、外部からのアクセスはそれらにリダイレクトするよう記述。

# Packet filter rules

#  WAN  AAA.BBB.CCC.DDD/32
#   |
# (ng0) XXX.YYY.ZZZ.LLL
#   |
# (pf)
#   |
# (re0) 192.168.X.1/32
#   |
#  LAN  192.168.X.0/24

###################################
# Macros                          #
###################################
ext_if="ng0"                    # external interface (mpd4 device ng0)
int_if="re0"                    # internal interface
ext_addr="XXX.YYY.ZZZ.LLL"      # external address (ng0)
int_addr="192.168.X.0/24"       # internal network address
##### Redirect #####
webserver="192.168.X.M"         # Web Server
webports ="{ http, https, ssh, smtp, ftp, 16667 }"
netcamera="192.168.X.N"         # Network Camera
cameraports="8080"              # Network Camera Port No.


###################################
# Tables                          #
###################################
table    const { 127.0.0.1, 192.168.1.1 }
table  const { 10/8, 172.16/12, 192.168/16 }
table  const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, \
                        192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, \
                        223.255.255/24, 224/4, 240/4 }

###################################
# Options                         #
###################################
set block-policy drop
set loginterface $ext_if        #logging interface

###################################
# Nomalization                    #
###################################
scrub in  all
scrub out all random-id max-mss 1414

###################################
# Queueing                        #
###################################


###################################
# Translation                     #
###################################
nat on $ext_if from $int_addr to ! -> ($ext_if)
##### Redirect #####
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
rdr on $ext_if proto { tcp, udp } from any to $ext_if port $cameraports -> $netcamera

###################################
# Filtering                       #
###################################

### Default Rule is blocking all traffic in and out ###
block log all
#block all

### pass traffic on loopback interface(lo0) ###
pass quick on lo0 all

### activate spoofing protection for the internal interface ###
antispoof log quick for $ext_if

### pass all traffic to and from the local network ###
pass in  on $int_if from $int_addr to any
pass out on $int_if from any to $int_addr

### pass tcp, udp and icmp out on the external interface ###
### modulate state on tcp, keep state on udp and icmp
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

### block "packets to local address" from LAN to WAN ###
block out log quick on $ext_if from any to {    }

### block "packets from local address" from WAN to LAN ###
block in  log quick on $ext_if from {    } to any

### block smb and netbios packets out to WAN ###
block out log quick on $ext_if proto { tcp, udp } from any to any port 135
block out log quick on $ext_if proto { tcp, udp } from any to any port 137
block out log quick on $ext_if proto { tcp, udp } from any to any port 138
block out log quick on $ext_if proto { tcp, udp } from any to any port 139
block out log quick on $ext_if proto { tcp, udp } from any to any port 445

### activate SQL Slammer protection for the external interface ###
block out log quick on $ext_if proto { tcp, udp } from any to any port 1433
block out log quick on $ext_if proto { tcp, udp } from any to any port 1434

### for Webserver and Network camera ###
pass in on $ext_if proto tcp from any to $webserver port $webports
pass in on $ext_if proto { tcp, udp } from any to $netcamera port $cameraports