URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 55772
[ Назад ]

Исходное сообщение
"Список правил для pf"
Отправлено Salrod , 21-Апр-05 11:50

Всем добрый день!
Обращаюсь с просьбой предоставить на обозрение рабочий список правил для МЭ PF (PF-FILTER(packet filter for openbsd)).
Естественно реальные ip-адреса мне не нужны(вырезайте все, что считаете нужным), просто для изучения - как реально используют данный МЭ в настоящее время.
PS Естественно мне не нужно описание работы правил - man pf - с удовольствием. Просто наличие уже рабочего списка (а лучше нескольких вариантов позволит максимально быстро разработать собственную конфигурацию - по крайней мере с ipfw у меня обстояло именно так :) )
Заранее спасибо!

Содержание

Список правил для pf,Salrod, 09:54 , 22-Апр-05
- Список правил для pf,Salrod, 13:47 , 22-Апр-05
  - Список правил для pf,Bobbi, 07:36 , 23-Апр-05
    - Список правил для pf,мелкая_пакость, 12:49 , 23-Апр-05
      - Список правил для pf,Salrod, 10:57 , 29-Апр-05

Сообщения в этом обсуждении

"Список правил для pf"
Отправлено Salrod , 22-Апр-05 09:54

UP: Не теряя надежды :)

"Список правил для pf"
Отправлено Salrod , 22-Апр-05 13:47

Снова Up :)
Для тех, кого волнует похожий вопрос - поможет:
http://www.openbsd.org/faq/pf/

"Список правил для pf"
Отправлено Bobbi , 23-Апр-05 07:36

#!/bin/sh
scrub in on xl0 all fragment reassemble min-ttl 20 max-mss 1440
scrub in on xl0 all no-df
scrub on xl0 all reassemble tcp
block in quick proto tcp from any to 195.195.195.1 flags SF/SFRA
block in quick proto tcp from any to 195.195.195.1 flags SFUP/SFRAU
block in quick proto tcp from any to 195.195.195.1 flags FPU/SFRAUP
block in quick proto tcp from any to 195.195.195.1 flags F/SFRA
block in quick proto tcp from any to 195.195.195.1 flags U/SFRAU
block in quick proto tcp from any to 195.195.195.1 flags P/P
block in log-all quick on xl0 from { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 } to 195.195.195.1
block out log-all quick on xl0 from any to { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }
block in log-all quick on xl0 proto udp from any to 195.195.195.1 port = 514
block in log-all quick on xl0 proto udp from any to 195.195.195.1 port 136 >< 140
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port 136 >< 140
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 901
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 587
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 3306
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 3000
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 3001
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 110
pass in quick on xl0 proto icmp from any to 195.195.195.1 icmp-type echoreq
pass in quick on xl0 proto icmp from any to 195.195.195.1 icmp-type echorep
pass out quick on xl0 proto icmp from 195.195.195.1 to any icmp-type echoreq
pass out quick on xl0 proto icmp from 195.195.195.1 to any icmp-type echorep
block in log-all quick on xl0 proto icmp from any to any
block out log-all quick on xl0 proto icmp from any to any
pass in log-all quick on lo
pass out log-all quick on lo
pass in quick on xl0 proto tcp from 195.216.172.0/24 to 195.195.195.1 port = 22
block in log-all quick on xl0 proto tcp from any to 195.195.195.1 port = 22
pass in quick on xl0 proto tcp from 80.80.80.53 to 195.195.195.1 port = 53
pass out quick on xl0 proto tcp from 195.195.195.1 port = 53 to 80.80.80.53
pass in quick on xl0 proto udp from any to 195.195.195.1 port = 53
pass out quick on xl0 proto udp from 195.195.195.1 port = 53 to any
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 80 synproxy state (max 10 tcp.finwait 5 tcp.opening 10 tcp.established 30 tcp.closing 20)
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 443 synproxy state (max 10 tcp.finwait 5 tcp.opening 10 tcp.established 30 tcp.closing 20)
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 20 flags S/SA synproxy state
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 21 flags S/SA synproxy state
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 4661
pass out quick on xl0 proto tcp from 195.195.195.1 port = 4661 to any
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 25 flags S/SA synproxy state
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 465 flags S/SA synproxy state
pass in quick on xl0 proto tcp from any to 195.195.195.1 port = 995 flags S/SA synproxy state
pass in quick on xl0 proto udp from 80.80.80.53 port = 53 to 195.195.195.1
pass in quick on xl0 proto udp from 217.199.96.2 port = 53 to 195.195.195.1
pass out quick on xl0 proto tcp from 195.195.195.1 to any
pass out quick on xl0 proto udp from 195.195.195.1 to any
block in log quick on xl0 proto tcp from any to 195.195.195.1 flags S/SAFRP
block in log quick on xl0 proto udp from any to 195.195.195.1
pass in quick on xl1 from any to any keep state
pass out quick on xl1 from any to any keep state

"Список правил для pf"
Отправлено мелкая_пакость , 23-Апр-05 12:49

ext_if = "xl0"
int_if = "rl0"
game_srv = "192.168.82.2"
dns_srvs = "{ 10.100.1.1, 10.100.1.2 }"
icmp_types = "echoreq"
table <banned> { 10.110.52.34, 10.100.41.30, 10.100.41.77 }
table <rdp_users> { 10.100.41.33, 10.100.41.13, 10.100.41.9, 10.100.41.10 }
table <ssh_users> { 10.100.41.222, 10.100.41.33, 10.100.41.9,\
                                                10.100.41.221, 10.100.57.20 }
table <smb_users> { 10.100.41.33, 10.100.41.9, 10.100.48.48,\
                                               10.100.41.221, 10.100.41.222 }
set block-policy return
set loginterface $ext_if
scrub in all
rdr pass on $ext_if proto tcp from <rdp_users> to port 3389\
         -> $game_srv port 3389
rdr pass on $ext_if proto udp to port 27015\
         -> $game_srv port 27015
rdr pass on $ext_if proto udp to port 27016\
         -> $game_srv port 27016
rdr pass on $ext_if proto udp to port 27017\
         -> $game_srv port 27017
rdr pass on $ext_if proto udp to port 27018\
         -> $game_srv port 27018
block log all
pass quick on lo0 all
pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if proto { tcp, udp } from any to $dns_srvs port domain\
                                                                   keep state
block drop in quick on $ext_if from <banned> to any
pass in on $ext_if proto tcp from any to ($ext_if) port 21 flags S/SA\
                                                                   keep state
pass in on $ext_if proto tcp from any to ($ext_if) port >49151 flags S/SA\
                                                                   keep state
pass out on $ext_if proto tcp from ($ext_if) to any port 20 flags S/SA\
                                                                   keep state
pass in on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA\
                                                                   keep state
pass in on $ext_if proto tcp from <rdp_users> to ($ext_if) port 3389\
                                                        flags S/SA keep state
pass out on $int_if proto tcp from any to $game_srv port 3389 keep state
pass in on $ext_if proto udp from any to ($ext_if) port\
                              { 27015, 27016, 27017, 27018 } keep state
pass out on $int_if proto udp from any to $game_srv port\
                              { 27015, 27016, 27017, 27018 } keep state
pass in on $ext_if proto tcp from <ssh_users> to ($ext_if) port 22\
                                                  flags S/SA keep state
pass in on $ext_if proto tcp from <smb_users> to ($ext_if) port { 139, 445 }\
                                                             keep state

"Список правил для pf"
Отправлено Salrod , 29-Апр-05 10:57

Up