このセクションの例では、PF 規則と規則セットを示します。
構成ファイルは、次のような標準的な UNIX 構文規則に従っています。
シャープ記号 (#) は、コメントを示します。
規則とコメントは、同一の行に共存できます。
読みやすくするために、不要な空白を使用できます。
複数行に渡って規則を記述できます。行の最後のバックスラッシュ (\) は、ルールが次の行に続いていることを示します。
構文情報の詳細は、パケットフィルタ規則の構文およびpf.conf(5)のマニュアルページを参照してください。
使用例 4 IP フィルタ 構成ファイルに基づいた PF 構成ファイル次に、IP フィルタ 構成ファイルを示します。
## IP Filter configuration file # Anything in that we initiate is okay pass out quick all keep state keep frags # Drop all NETBIOS traffic but don't log it. block in quick from any to any port = 137 #netbios-ns block in quick from any to any port = 138 #netbios-dgm block in quick from any to any port = 139 #netbios-ssn # Allow incoming IKE/IPsec pass in quick proto udp from any to any port = ike pass in quick proto udp from any to any port = 4500 pass in quick proto esp from any to any # Allow ping and ICMP destination unreachable / fragmentation needed pass in quick proto icmp from any to any icmp-type echo pass in quick proto icmp from any to any icmp-type 3 # Allow routing info # pass in quick proto udp from any to port = route # pass in quick proto icmp from any to any icmp-type 9 # routeradvert # pass in quick proto igmp from any to any # Allow incoming SSH pass in quick proto tcp from any to any port = ssh # Allow DHCP - required pass in quick proto udp from any to port = bootpc # Block and log everything else that comes in block in log all block in from any to 255.255.255.255 block in from any to 127.0.0.1/32
PF 構成ファイルは次のとおりです。
## PF configuration file with identical policy ## to preceding IP Filter configuration file anchor "_auto/*" ## anchor "_static/*" set skip on lo0 ## reassemble no allows an attacker to fragment ## packets in a smart way and bypass the firewall. ## yes no-df allows reassembly and clears the ## dont-fragment bit. set reassemble yes no-df block log ## Allow incoming SSH pass in proto tcp to any port 22 ## equals: pass in proto tcp from any to any port = 22 flags S/SA ## Allow DHCP pass in inet proto udp from port 67 to port 68 pass in inet6 proto udp from port 547 to port 546 ## Allow NAT traversal, hence _auto above pass in inet proto udp from any to any port 500 pass in inet6 proto udp from any to any port 4500 ## Allow incoming IKE/IPsec pass in inet proto esp from any to any pass in inet6 proto esp from any to any ## Too-big packets must be allowed by firewall. ## However, the later 'pass out' rule allows all ## inbound responses, including to 'icmp6-type 2' ## messages. So, remove IPF 'pass in' rule in PF. ## pass in inet6 proto ipv6-icmp icmp6-type 2 ## Allow routing info pass in inet6 proto ipv6-icmp icmp6-type 134 pass in inet6 proto ipv6-icmp icmp6-type 135 pass in inet6 proto ipv6-icmp icmp6-type 136 # Anything in that we initiate is okay pass out