pf.conf の記述
pf.conf
/etc/pf.conf を設定する。
外部公開サーバが 2 つあるので、外部からのアクセスはそれらにリダイレクトするよう記述。
# Packet filter rules # WAN AAA.BBB.CCC.DDD/32 # | # (ng0) XXX.YYY.ZZZ.LLL # | # (pf) # | # (re0) 192.168.X.1/32 # | # LAN 192.168.X.0/24 ################################### # Macros # ################################### ext_if="ng0" # external interface (mpd4 device ng0) int_if="re0" # internal interface ext_addr="XXX.YYY.ZZZ.LLL" # external address (ng0) int_addr="192.168.X.0/24" # internal network address ##### Redirect ##### webserver="192.168.X.M" # Web Server webports ="{ http, https, ssh, smtp, ftp, 16667 }" netcamera="192.168.X.N" # Network Camera cameraports="8080" # Network Camera Port No. ################################### # Tables # ################################### tableconst { 127.0.0.1, 192.168.1.1 } table const { 10/8, 172.16/12, 192.168/16 } table const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, \ 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, \ 223.255.255/24, 224/4, 240/4 } ################################### # Options # ################################### set block-policy drop set loginterface $ext_if #logging interface ################################### # Nomalization # ################################### scrub in all scrub out all random-id max-mss 1414 ################################### # Queueing # ################################### ################################### # Translation # ################################### nat on $ext_if from $int_addr to ! -> ($ext_if) ##### Redirect ##### rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver rdr on $ext_if proto { tcp, udp } from any to $ext_if port $cameraports -> $netcamera ################################### # Filtering # ################################### ### Default Rule is blocking all traffic in and out ### block log all #block all ### pass traffic on loopback interface(lo0) ### pass quick on lo0 all ### activate spoofing protection for the internal interface ### antispoof log quick for $ext_if ### pass all traffic to and from the local network ### pass in on $int_if from $int_addr to any pass out on $int_if from any to $int_addr ### pass tcp, udp and icmp out on the external interface ### ### modulate state on tcp, keep state on udp and icmp pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state ### block "packets to local address" from LAN to WAN ### block out log quick on $ext_if from any to { } ### block "packets from local address" from WAN to LAN ### block in log quick on $ext_if from { } to any ### block smb and netbios packets out to WAN ### block out log quick on $ext_if proto { tcp, udp } from any to any port 135 block out log quick on $ext_if proto { tcp, udp } from any to any port 137 block out log quick on $ext_if proto { tcp, udp } from any to any port 138 block out log quick on $ext_if proto { tcp, udp } from any to any port 139 block out log quick on $ext_if proto { tcp, udp } from any to any port 445 ### activate SQL Slammer protection for the external interface ### block out log quick on $ext_if proto { tcp, udp } from any to any port 1433 block out log quick on $ext_if proto { tcp, udp } from any to any port 1434 ### for Webserver and Network camera ### pass in on $ext_if proto tcp from any to $webserver port $webports pass in on $ext_if proto { tcp, udp } from any to $netcamera port $cameraports