forum.lissyara.su

Код: Выделить всё

http_port 192.168.0.1:3128
http_port 127.0.0.1:3129 intercept

Код: Выделить всё

rdr pass inet proto tcp from 192.168.0.0/24 to any port 80 -> 127.0.0.1 port 3129

Код: Выделить всё

if_ext="em1"
if_int="em0"

ports_web="{ 80 443 }"

set block-policy drop
set loginterface $if_ext
set skip on lo

scrub in

nat on $if_ext from $if_int:network -> ($if_ext)
nat-anchor "ftp-proxy/*"

rdr on $if_int proto tcp to port ftp -> 127.0.0.1 port 8021
rdr-anchor "ftp-proxy/*"
rdr pass inet proto tcp from 192.168.0.0/24 to any port 80 -> 127.0.0.1 port 3129

block log all
block in quick from urpf-failed

pass in quick on $if_ext inet proto icmp to ($if_ext) icmp-type { unreach, redir, timex }

pass out on $if_ext modulate state

pass in on $if_int no state
pass in on $if_int proto tcp to port $ports_web no state
pass in on $if_int proto udp to port { domain sip } no state

pass out on $if_int no state
pass out on $if_int proto tcp from port $ports_web no state
pass out on $if_int proto udp from port domain no state

anchor "ftp-proxy/*"

Код: Выделить всё

########## interface info ##########
int_if="lan"
ext_if="tun0"

lannet="192.168.0.0/24"
int_ip="192.168.0.1"

########## open ports ##########
www="{ 80,443 }"
mail="{ 465,587,993,995,143,25,110 }"
rdp="{ 730,10913 }"
torrent="{ 51413,49152:65535,5650:5670 }"
ssh="{ 1981,1985,1986 }"
vpn="{ 1983, 1423 }"
ftp="{ 20,21,30000:65000 }"
voip="{ 4000:4010,4050:4090,5060:5065,5160:5165,8000:8002,9000:65534 }"
udp_services="{ 53,123 }"
stim="{ 27000:27050, 4380}"

icmp_types="{echoreq, unreach}"

########## CONTROL PF ##########
#set block-policy return  ## сбрасываем соединение вежливо
set timeout { frag 10, tcp.established 3600 } # Изменяем время для состояния установленного tcp соединения, которое по-умолчанию чересчур большое (24часа).
set block-policy drop  ## сбрасываем соединение грубо
set skip on lo0  ## полностью пропускаем проверку на петле
set skip on $int_if  ## полностью пропускаем проверку на интерфейсе
set loginterface $ext_if
set optimization normal

########## PF_tables ##########
table <white_list> persist { 1.2.3.4 }
table <full_dos> persist file "/etc/pftables/full_dos"
table <srv> persist file "/etc/pftables/srv"

### bloc tables ###
table <ca.zone> persist file "/etc/pftables/ca.zone"
table <cn.zone> persist file "/etc/pftables/cn.zone"
table <de.zone> persist file "/etc/pftables/de.zone"
table <fr.zone> persist file "/etc/pftables/fr.zone"
table <ua.zone> persist file "/etc/pftables/ua.zone"
table <ip.bloc> persist file "/etc/pftables/ip.bloc"

##########
scrub in all  ## нормализуем все входящие пакеты на всех интерфейсах
scrub on $ext_if all reassemble tcp

########## NAT ##########
#nat on $ext_if inet from $lannet to any -> ($ext_if)
nat on $ext_if inet from $int_ip to any -> ($ext_if)

nat on $ext_if inet from <full_dos> to any -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $ftp -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $www -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $mail -> ($ext_if)
nat on $ext_if inet proto tcp from $lannet to any port $rdp -> ($ext_if)
nat on $ext_if inet proto udp from $lannet to any port $udp_services -> ($ext_if)
nat log on $ext_if inet proto icmp from $lannet to any -> ($ext_if)

########## redirect ##########
rdr pass inet proto tcp from $lannet to any port 80 -> 127.0.0.1 port 3128

########## filters ##########
antispoof log quick for { lo0, $int_if, $ext_if }

########## Правела блокировки ##########
block in log all
block out all
block in quick on $ext_if from <ip.bloc> to ($ext_if)
block in quick on $ext_if from <ca.zone> to ($ext_if)
block in quick on $ext_if from <cn.zone> to ($ext_if)
block in quick on $ext_if from <de.zone> to ($ext_if)
block in quick on $ext_if from <fr.zone> to ($ext_if)
block in quick on $ext_if from <ua.zone> to ($ext_if)
block in quick on $ext_if from <us.zone> to ($ext_if)
block drop in log quick on $ext_if from <ddos> to any
block drop in log quick on $ext_if from <ssh> to any

pass out quick on $ext_if from ($ext_if) to any

pass quick on lo0 all ## разрешаем петлю
pass quick on $ext_if from <white_list> to ($ext_if) keep state

########## Разрешаем открытые порты на внешнем интерфейсе ##########
pass in on $ext_if proto tcp from any to ($ext_if) port $www synproxy state  ## чистим траф www от SYN flood
pass in on $ext_if proto tcp to ($ext_if) port $www flags /SA keep state \(max-src-conn 60, max-src-conn-rate 10/2, overload <ddos> flush) ## www режим тех кто превысил лимиты и ложим в таблицу
pass in on $ext_if proto tcp to ($ext_if) port $ssh flags S/SA keep state \(max-src-conn 5, max-src-conn-rate 10/5, overload <ssh> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $rdp flags S/SA keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $ftp flags S/SA keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto udp to ($ext_if) port $vpn keep state \(max-src-conn 1, max-src-conn-rate 5/20, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $mail flags S/SA keep state \(max-src-conn 50, max-src-conn-rate 8/60, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $stim flags S/SA keep state \(max-src-conn 50, max-src-conn-rate 8/60, overload <ddos> flush global)
pass in on $ext_if proto tcp to ($ext_if) port $torrent keep state \(max-src-conn 50, max-src-conn-rate 10/60, overload <ddos> flush global)

########## Разрешаем исходящие порты ##########
pass in quick on $ext_if inet proto {tcp,udp} from any to $lannet port $torrent
pass in quick on $ext_if inet proto tcp from any to any port $ftp # ftp

pass log inet proto icmp all icmp-type $icmp_types

Код: Выделить всё

set skip on lo0  ## полностью пропускаем проверку на петле
 ...
pass quick on lo0 all ## разрешаем петлю

Код: Выделить всё

antispoof log quick for { lo0, $int_if, $ext_if }