[FUG-BR] Ajuda com PF, abrir portas e melhorar regras.

Bandeira gnu.groups em gmail.com
Sexta Junho 12 15:23:48 BRT 2015


olá pessoal, alguém pode me ajudar com o meu pf.conf? Eu uso no OS X, mas
não estou conseguindo abrir as portas, obrigado desde já.

set block-policy drop

set optimization aggressive

set ruleset-optimization basic

set timeout { interval 5, tcp.opening 20 }

set timeout { frag 15, tcp.established 150 }

set timeout { tcp.first 30, tcp.closing 15, tcp.closed 15, tcp.finwait 15 }

set timeout { udp.first 30, udp.single 30, udp.multiple 30 }

set timeout { other.first 30, other.single 30, other.multiple 30 }

set timeout { adaptive.start 5000, adaptive.end 10000 }

set skip on lo0

set debug none

set limit frags 5000

set state-policy if-bound

set require-order yes

set fingerprints "/usr/local/sbin/pf.os"


tcp_out = "{ ssh, smtp, domain, www, https, 67, 80, 443, 554, 1900, 4662,
548, 587, 993, 1863, 2158, 3689, ntp, ftp, ftp-data }"

udp_out = "{ domain, ntp, 68, 123, 192, 554, 5353, 1900, 4672 }"


tcp_in = "{ 80, 443, 548, 554, 3689, 1900, 4662 }"

udp_in = "{ 123, 192, 554, 1900, 5353, 4672 }"


martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"



scrub in all no-df random-id max-mss 1440 min-ttl 15


#match in all scrub (no-df max-mss 1440) #OpenBSD 4.6


if = "en0"


#icmp_types="echoreq"



block in

pass out


antispoof for $if inet


# allow icmp

#pass in inet proto icmp all icmp-type $icmp_types


#block in on $if inet proto icmp from ! en0 to any icmp-type 8 code 0


# Ativa a proteção contra falsificações para todas as interfaces

block in quick from urpf-failed


# allow out

#pass out on $if proto udp from any to any port $tcp_out

#pass out on $if proto tcp from any to any port $udp_out


# allow in

#pass in on $if proto tcp from any to any port $tcp_in

#pass in on $if proto udp from any to any port $udp_in


# allow out

#pass out quick inet proto udp from any to any port $tcp_out

#pass out quick inet proto tcp from any to any port $udp_out


# allow in

#pass in quick inet proto tcp from any to any port $tcp_in

#pass in quick inet proto udp from any to any port $udp_in


# block scans com nmap

block in quick proto tcp flags FUP/WEUAPRSF

block in quick proto tcp flags WEUAPRSF/WEUAPRSF

block in quick proto tcp flags SRAFU/WEUAPRSF

block in quick proto tcp flags /WEUAPRSF

block in quick proto tcp flags SR/SR

block in quick proto tcp flags SF/SF

block drop in quick on $if from any os { NMAP }


pass on lo0 all


Mais detalhes sobre a lista de discussão freebsd