# options #設定拒絕聯機封包的處理方式 set block-policy return # set optimization aggressive #紀錄 $ext_if set loginterface $ext_if
# scrub #整理封包 scrub in all
#nat #NAT 地址轉譯處理 nat on $ext_if from $int_if:network to any -> $ext_if
#ftp-proxy #ftp-proxy 重新導向 rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 #rdr on $ext_if proto tcp from any to 140.111.152.13 port 21 -> 192.168.13.253 port 21 #Transparent Proxy Server rdr on rl0 proto tcp from 192.168.13.0/24 to any 80 -> 127.0.0.1 port 3128
#阻擋可疑封包在 $ext_if 網卡進出 antispoof log quick for $ext_if
#阻擋所有進出的封包 block all
#開放 loopback pass quick on lo0 all
#拒絕內部私有 IP 對 $ext_if 網路卡聯機 block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets
#開放對外的 80, 443 埠 pass in on $ext_if inet proto tcp from any to $ext_if port $open_services flags S/SA keep state #只容許 140.111.152.0/24 網段對本機做 22 埠聯機 pass in on $ext_if inet proto tcp from 140.111.152.0/24 to $ext_if port 22 flags S/SA keep state
#開放內部網路對外聯機 #pass in on $inf_if proto rcp from any to any queue std_in pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state
#開放對外網路的聯機 #pass out $ext_if proto tcp from any to any queue std_out pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state
過濾掃描偵測軟體 block in quick proto tcp all flags SF/SFRA block in quick proto tcp all flags SFUP/SFRAU block in quick proto tcp all flags FPU/SFRAUP block in quick proto tcp all flags /SFRA block in quick proto tcp all flags F/SFRA block in quick proto tcp all flags U/SFRAU block in quick proto tcp all flags P
如果防火牆和 Proxy Server 不在同一台主機 Proxy Server:192.168.13.250 no rdr on rl0 proto tcp from 192.168.13.250 to any port 80 rdr on rl0 proto tcp from 192.168.13.0/24 to any port 80 -> 192.168.13.250 port 3128