2. Tech
  3. OpenBSD + PF configuration

OpenBSD + PF configuration

zhaozj2021-02-16  82

OpenBSD PF configuration

Beginology OpenBSD PF, laugh, don't correct

QQ: 35907960

Mail: yainypunix@yahoo.com.cn

OpenBSD server 3 block network card

RL0 61.131.58.x

RL1 192.168.1.0/24 Internal Network Segment 1

RL2 131.107.3.0/24 Internal Network Section 2

Some IP should be available for 24 hours, some IP is limited to 8 hours

Twought two scripts

ShellPf1 Pf1.conf (24-hour Internet)

Shellpf2 pf2.conf (8 hours)

ShellPF1, ShellPF2, PF1.CONF, PF2.CONF four files in / etc / pf directory

Perform time in crontab,

The configuration of file /etc/pf/pf1.conf is as follows:

EXT_IF = "rl0" # 接 公 网

192_if = "rl1" #Prive network segment 1

131_IF = "rl2" #Prive network segment 2

192Net = "{

192.168.1.222/32,

192.168.1.5/32,

192.168.1.132/32,

192.168.1.77/32,

192.168.1.2/32,

192.168.1.8/32,

192.168.1.4/32,

192.168.1.6/32,

192.168.1.28/32,

192.168.1.177/32,

192.168.1.195/32,

192.168.1.45/32,

192.168.1.47/32,

192.168.1.16/32,

192.168.1.249/32,

"

131Net = "{

131.107.3.215/32,

131.107.3.216/32,

131.107.3.217/32,

131.107.3.218/32,

131.107.3.219/32,

131.107.3.220/32,

131.107.3.211/32,

131.107.3.43/32,

131.107.3.47/32,

131.107.3.48/32,

131.107.3.174/32,

131.107.3.175/32,

131.107.3.181/32,

131.107.3.194/32,

131.107.3.123/32,

131.107.3.252/32,

131.107.3.253/32,

131.107.3.216/32,

131.107.3.198/32,

131.107.3.17/32

"

TCP_SERVICES = "{22, 113}"

ICMP_TYPES = "echoreq"

Priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"

Set Optimization Aggressive

Scrub in all

Nat on rl0 from 192.168.1.0/24 to any -> 61.131.58.x / 32

Nat on rl0 from 131.107.3.0/24 to any -> 61.131.58.x / 32

Block all

Pass Quick On LO0 All

Block Drop in Quick On $ EXT_IF from $ priv_nets to any

Block Drop Out Quick On $ EXT_IF from ANY to $ Priv_Nets

#pass in inet proto icmp all iqup-type $ icmp_types keep states

Block in Quick On $ 192_if from 131.107.3.0/24 to anyblock Out Quick on $ 192_if from any to 131.107.3.0/24

Block in Quick On $ 131_if from 192.168.1.0/24 to any

Block Out Quick On $ 131_if from any to 192.168.1.0/24

Pass IN $ 192_if from $ 192Net to any Keep State

Pass Out on $ 192_if from any to $ 192Net Keep State

Pass in $ 131_if from $ 131NET to Any Keep State

Pass Out on $ 131_if from any to $ 131NET Keep State

Pass Out on $ ext_if proto tcp all modulate stat Flags S / SA

Pass Out on $ ext_if proto udp all keep state

/etc/pf/pf2.conf is as follows

EXT_IF = "rl0" # 接 公 网

192_if = "rl1" #Prive network segment 1

131_IF = "rl2" #Prive network segment 2

192Net = "{

192.168.1.2/32,

192.168.1.8/32,

192.168.1.6/32,

192.168.1.45/32,

192.168.1.47/32,

192.168.1.16/32,

192.168.1.28/32,

192.168.1.249/32,

192.168.1.222/32

"

131Net = "{

131.107.3.48/32,

131.107.3.47/32

"

TCP_SERVICES = "{22, 113}"

ICMP_TYPES = "echoreq"

Priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"

Set Optimization Aggressive

Scrub in all

Nat on rl0 from 192.168.1.0/24 to any -> 61.131.58.x / 32

Nat on rl0 from 131.107.3.0/24 to any -> 61.131.58.x / 32

Block all

Pass Quick On LO0 All

Block Drop in Quick On $ EXT_IF from $ priv_nets to any

Block Drop Out Quick On $ EXT_IF from ANY to $ Priv_Nets

#pass in inet proto icmp all iqup-type $ icmp_types keep states

Block in Quick On $ 192_if from 131.107.3.0/24 to any

Block Out Quick On $ 192_if from any to 131.107.3.0/24

Block in Quick On $ 131_if from 192.168.1.0/24 to any

Block Out Quick On $ 131_if from any to 192.168.1.0/24

Pass IN $ 192_if from $ 192Net to any Keep State

Pass Out on $ 192_if from any to $ 192Net Keep State

Pass IN $ 131_if from $ 131NET To Any Keep StatePass Out on $ 131_if from any to $ 131net Keep State

Pass Out on $ ext_if proto tcp all modulate stat Flags S / SA

Pass Out on $ ext_if proto udp all keep state

/ etc / pf / shellpf1 as follows

PFCTL -D

PFCTL -E

PFCTL -F /ETC/PF / PF1.CONF

/ etc / pf / shellpf2 as follows

PFCTL -D

PFCTL -E

PFCTL -F /ETC/PF / PF2.CONF

Crontab as follows / var / cron / tabs / root

# $ Openbsd: crontab, v 1.9 2001/09/11 19:03:55 MILLERT EXP $

# $ ID: crontab-nomail, v 1.1 2002/04/15 01:03:20 jmates eXP $

#

# Jam 2002-04-14 Disabled Mailings from root.

#

# / var / cron / tabs / root - Root's crontab

#

Shell = / bin / sh

PATH = / bin: / sbin: / usr / bin: / usr / sbin: / etc / pf

HOME = / var / log

#

#minute Hour MDAY MONTH WDAY COMMAND

#

* / 10 18 * * * / ETC / PF / shellpf2

* / 50 7 * * * / ETC / PF / shellpf1

#

# Sendmail Clientmqueue Runner

#

# Rotate Log Files Every Hour, IF Necessary

0 * * * * / usr / bin / newsyslog

# send log file notifications, if Necessary

# 1-59 * * * * / usr / bin / newsyslog -m

#

# do daily / weekly / monthly maintenance

30 1 * * * / bin / sh / etc / daily 1> /VAR/LOG/Daily.out 2> & 1

30 3 * * 6 / bin / sh / etc / weekly 1> /VAR/LOG/Weekly.out 2> & 1

30 5 1 * * / bin / sh / etc / monthly 1> /VAR/LOG /MONTHLY.OUT 2> & 1

Execute the script shellpf1,18:10 every day 7:50 per day, execute shellpf2

For Mac and IP binding, write a script, prevent someone to change IP Internet access (except for MAC addresses)

Arp -s 192.168.1.4 00: 0C: 76: 84: 52: F0 PUB

ARP -S 192.168.1.5 00: 0C: 76: 2F: DD: 2C PUB

转载请注明原文地址:https://www.9cbs.com/read-12589.html

9cbs

New Post(0)