OpenBSD PF configuration
Beginology OpenBSD PF, laugh, don't correct
QQ: 35907960
Mail: yainypunix@yahoo.com.cn
OpenBSD server 3 block network card
RL0 61.131.58.x
RL1 192.168.1.0/24 Internal Network Segment 1
RL2 131.107.3.0/24 Internal Network Section 2
Some IP should be available for 24 hours, some IP is limited to 8 hours
Twought two scripts
ShellPf1 Pf1.conf (24-hour Internet)
Shellpf2 pf2.conf (8 hours)
ShellPF1, ShellPF2, PF1.CONF, PF2.CONF four files in / etc / pf directory
Perform time in crontab,
The configuration of file /etc/pf/pf1.conf is as follows:
EXT_IF = "rl0" # 接 公 网
192_if = "rl1" #Prive network segment 1
131_IF = "rl2" #Prive network segment 2
192Net = "{
192.168.1.222/32,
192.168.1.5/32,
192.168.1.132/32,
192.168.1.77/32,
192.168.1.2/32,
192.168.1.8/32,
192.168.1.4/32,
192.168.1.6/32,
192.168.1.28/32,
192.168.1.177/32,
192.168.1.195/32,
192.168.1.45/32,
192.168.1.47/32,
192.168.1.16/32,
192.168.1.249/32,
"
131Net = "{
131.107.3.215/32,
131.107.3.216/32,
131.107.3.217/32,
131.107.3.218/32,
131.107.3.219/32,
131.107.3.220/32,
131.107.3.211/32,
131.107.3.43/32,
131.107.3.47/32,
131.107.3.48/32,
131.107.3.174/32,
131.107.3.175/32,
131.107.3.181/32,
131.107.3.194/32,
131.107.3.123/32,
131.107.3.252/32,
131.107.3.253/32,
131.107.3.216/32,
131.107.3.198/32,
131.107.3.17/32
"
TCP_SERVICES = "{22, 113}"
ICMP_TYPES = "echoreq"
Priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"
Set Optimization Aggressive
Scrub in all
Nat on rl0 from 192.168.1.0/24 to any -> 61.131.58.x / 32
Nat on rl0 from 131.107.3.0/24 to any -> 61.131.58.x / 32
Block all
Pass Quick On LO0 All
Block Drop in Quick On $ EXT_IF from $ priv_nets to any
Block Drop Out Quick On $ EXT_IF from ANY to $ Priv_Nets
#pass in inet proto icmp all iqup-type $ icmp_types keep states
Block in Quick On $ 192_if from 131.107.3.0/24 to anyblock Out Quick on $ 192_if from any to 131.107.3.0/24
Block in Quick On $ 131_if from 192.168.1.0/24 to any
Block Out Quick On $ 131_if from any to 192.168.1.0/24
Pass IN $ 192_if from $ 192Net to any Keep State
Pass Out on $ 192_if from any to $ 192Net Keep State
Pass in $ 131_if from $ 131NET to Any Keep State
Pass Out on $ 131_if from any to $ 131NET Keep State
Pass Out on $ ext_if proto tcp all modulate stat Flags S / SA
Pass Out on $ ext_if proto udp all keep state
/etc/pf/pf2.conf is as follows
EXT_IF = "rl0" # 接 公 网
192_if = "rl1" #Prive network segment 1
131_IF = "rl2" #Prive network segment 2
192Net = "{
192.168.1.2/32,
192.168.1.8/32,
192.168.1.6/32,
192.168.1.45/32,
192.168.1.47/32,
192.168.1.16/32,
192.168.1.28/32,
192.168.1.249/32,
192.168.1.222/32
"
131Net = "{
131.107.3.48/32,
131.107.3.47/32
"
TCP_SERVICES = "{22, 113}"
ICMP_TYPES = "echoreq"
Priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"
Set Optimization Aggressive
Scrub in all
Nat on rl0 from 192.168.1.0/24 to any -> 61.131.58.x / 32
Nat on rl0 from 131.107.3.0/24 to any -> 61.131.58.x / 32
Block all
Pass Quick On LO0 All
Block Drop in Quick On $ EXT_IF from $ priv_nets to any
Block Drop Out Quick On $ EXT_IF from ANY to $ Priv_Nets
#pass in inet proto icmp all iqup-type $ icmp_types keep states
Block in Quick On $ 192_if from 131.107.3.0/24 to any
Block Out Quick On $ 192_if from any to 131.107.3.0/24
Block in Quick On $ 131_if from 192.168.1.0/24 to any
Block Out Quick On $ 131_if from any to 192.168.1.0/24
Pass IN $ 192_if from $ 192Net to any Keep State
Pass Out on $ 192_if from any to $ 192Net Keep State
Pass IN $ 131_if from $ 131NET To Any Keep StatePass Out on $ 131_if from any to $ 131net Keep State
Pass Out on $ ext_if proto tcp all modulate stat Flags S / SA
Pass Out on $ ext_if proto udp all keep state
/ etc / pf / shellpf1 as follows
PFCTL -D
PFCTL -E
PFCTL -F /ETC/PF / PF1.CONF
/ etc / pf / shellpf2 as follows
PFCTL -D
PFCTL -E
PFCTL -F /ETC/PF / PF2.CONF
Crontab as follows / var / cron / tabs / root
# $ Openbsd: crontab, v 1.9 2001/09/11 19:03:55 MILLERT EXP $
# $ ID: crontab-nomail, v 1.1 2002/04/15 01:03:20 jmates eXP $
#
# Jam 2002-04-14 Disabled Mailings from root.
#
# / var / cron / tabs / root - Root's crontab
#
Shell = / bin / sh
PATH = / bin: / sbin: / usr / bin: / usr / sbin: / etc / pf
HOME = / var / log
#
#minute Hour MDAY MONTH WDAY COMMAND
#
* / 10 18 * * * / ETC / PF / shellpf2
* / 50 7 * * * / ETC / PF / shellpf1
#
# Sendmail Clientmqueue Runner
#
# Rotate Log Files Every Hour, IF Necessary
0 * * * * / usr / bin / newsyslog
# send log file notifications, if Necessary
# 1-59 * * * * / usr / bin / newsyslog -m
#
# do daily / weekly / monthly maintenance
30 1 * * * / bin / sh / etc / daily 1> /VAR/LOG/Daily.out 2> & 1
30 3 * * 6 / bin / sh / etc / weekly 1> /VAR/LOG/Weekly.out 2> & 1
30 5 1 * * / bin / sh / etc / monthly 1> /VAR/LOG /MONTHLY.OUT 2> & 1
Execute the script shellpf1,18:10 every day 7:50 per day, execute shellpf2
For Mac and IP binding, write a script, prevent someone to change IP Internet access (except for MAC addresses)
Arp -s 192.168.1.4 00: 0C: 76: 84: 52: F0 PUB
ARP -S 192.168.1.5 00: 0C: 76: 2F: DD: 2C PUB