freebsd:pf
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
freebsd:pf [2011/03/18 19:21] – créée sheltem | freebsd:pf [2013/10/23 11:10] (Version actuelle) – sheltem | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ====== | + | ====== |
+ | |||
+ | ===== Kernel | ||
On ajoute ça : | On ajoute ça : | ||
Ligne 12: | Ligne 14: | ||
make installkernel KERNCONF=MONKERNEL | make installkernel KERNCONF=MONKERNEL | ||
- | Exemple de fichier de configuration | + | ===== Exemple de fichier de configuration |
+ | |||
+ | / | ||
+ | |||
+ | <code pf> | ||
ext_if=" | ext_if=" | ||
int_if=" | int_if=" | ||
| | ||
- | table < | + | table < |
table < | table < | ||
| | ||
scrub in all | scrub in all | ||
| | ||
+ | #Refuse tout le traffic entrant et log, autorise tout traffice sortant | ||
block in log (all) all | block in log (all) all | ||
- | pass out all | + | pass out all |
| | ||
set skip on lo0 | set skip on lo0 | ||
| | ||
+ | #Autoriser toutes les ip se trouvant dans " | ||
pass in quick on $ext_if from < | pass in quick on $ext_if from < | ||
| | ||
+ | #Autoriser les paquets icmp et icmp V6 | ||
pass in quick proto icmp6 all | pass in quick proto icmp6 all | ||
pass in quick proto icmp all | pass in quick proto icmp all | ||
| | ||
+ | #Bloquer les ip dans " | ||
block quick from < | block quick from < | ||
+ | | ||
+ | #Autorise Http et SSH avec limite de tentative de connexion avant refus et inclusion dans la liste " | ||
pass in on $ext_if proto tcp to ($ext_if) port http keep state (max-src-conn-rate 20/5, overload < | pass in on $ext_if proto tcp to ($ext_if) port http keep state (max-src-conn-rate 20/5, overload < | ||
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state (max-src-conn-rate 10/60, overload < | pass in on $ext_if proto tcp to ($ext_if) port ssh keep state (max-src-conn-rate 10/60, overload < | ||
| | ||
- | #Allow DNS | + | #Autorise les requetes |
pass in on $ext_if proto tcp to ($ext_if) port domain | pass in on $ext_if proto tcp to ($ext_if) port domain | ||
pass in on $ext_if proto udp to ($ext_if) port domain | pass in on $ext_if proto udp to ($ext_if) port domain | ||
| | ||
- | #Allow traceroute | + | #Autorise |
pass in on $ext_if proto udp to ($ext_if) port 33433 >< 33626 keep state | pass in on $ext_if proto udp to ($ext_if) port 33433 >< 33626 keep state | ||
+ | </ | ||
+ | |
freebsd/pf.1300476091.txt.gz · Dernière modification : 2011/03/18 19:21 de sheltem