This sample setup should work on FreeBSD 5.2.1 and up using the version
of pf that is in the base system. As always before following online
advice make sure that you understand what is done and read related
documentation such as pf(4), pf.conf(5) and pflogd(8). Good luck!
1) Make sure you have these in your kernel config ...
options PFIL_HOOKS # pfil(9) framework device pf # PF OpenBSD packet-filter firewall device pflog # logging support interface for PF
... or if you are running the GENERIC kernel you can use the pf kld,
it will be loaded automatically if you have pf_enable="YES" in rc.conf.
2) /etc/rc.conf network and pf related configuration.
ifconfig_fxp0="DHCP" ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0" gateway_enable="YES" pf_enable="YES" pflog_enable="YES"
3) Here is a basic /etc/pf.conf that will work out-of-the-box in this
setup.
# macros
ext_if = "fxp0"
int_if = "fxp1"
internal_net = "192.168.0.0/24"
# tables
table <firewall> const { self }
# options
set block-policy drop
set state-policy if-bound
# scrub incoming packets
scrub all reassemble tcp fragment reassemble
# nat
nat on $ext_if from $internal_net to any -> ($ext_if)
# setup a default deny policy
block drop log all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# bootp
pass out log-all quick on $ext_if inet proto udp from any port 68 to
any port 67 keep state
# dns, ntp
pass out quick on $ext_if inet proto udp from ($ext_if) to any port {
53, 123 } keep state
# outgoing from firewall
pass out log quick on $ext_if inet proto tcp from ($ext_if) to any
flags S/SA keep state
pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if)
to any keep state
# incoming, ssh, http (uncomment next line to enable)
#pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port
{ 22, 80 } flags S/SA keep state
# incoming active ftp-data (this is required for active ftp to work)
pass in log quick on $ext_if inet proto tcp from any port 20 to
($ext_if) port >= 1024 flags S/SA keep state
# incoming tcp and udp from the internal network to the internet
pass in log quick on $int_if inet proto tcp from $internal_net to
!<firewall> flags S/SA modulate state
pass in log quick on $int_if inet proto udp from $internal_net to
!<firewall> keep state
4) Reboot your FreeBSD router.
5) On the devices on the internal network configure an ip address
in the 192.168.0.2-192.168.0.254 range and set the default gateway
to 192.168.0.1. You should now be able to access the network behind
the FreeBSD router.
6) To watch the "live" pf log you can run 'tcpdump -nei pflog0'.
The log file is by default /var/log/pflog and rotated when it grows to
100k which is a bit small, you can change that to rotate it daily at
midnight and keep one week of logs. Modify /etc/newsyslog.conf, change
this line:
/var/log/pflog 600 3 100 * JB /var/run/pflogd.pid
to:
/var/log/pflog 600 7 * @T00 JB /var/run/pflogd.pid
9 часа 35 минуты назад
9 часа 55 минуты назад
10 часа 11 минуты назад
10 часа 11 минуты назад
10 часа 35 минуты назад
10 часа 42 минуты назад
10 часа 45 минуты назад
11 часа 39 минуты назад
12 часа 10 минуты назад
12 часа 19 минуты назад