FreeBSD ÀÇ pf ¿¡ °üÇؼ­ Áú¹® Çغ¾´Ï´Ù.

À¯»ç¿ë   
   Á¶È¸ 5606   Ãßõ 6    


Áö±Ý FR 6.1À» ¼³Ä¡ÈÄ pf + if_bridge ¸¦ ±¸¼ºÇß½À´Ï´Ù.

/etc/rc.conf ¿¡¼­ bridge0 ¿¡ °üÇÑ ³»¿ëÀÔ´Ï´Ù.
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"

ifconfig_em0="up"                 #  Turn the bridge NICs up
ifconfig_em1="up"                 #  Thanks to Bruce A. Mah <****@*******.org>

ifconfig ¿¡¼­ pf¿Í bridge ¿¡ °ü·ÃµÈ ³»¿ë ÀÔ´Ï´Ù.

pfsync0: flags=0<> mtu 2020
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
        ether ac:de:48:15:aa:4c
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: em1 flags=3<LEARNING,DISCOVER>
        member: em0 flags=3<LEARNING,DISCOVER>

bridge0 ´Â Àß ¿Ã¶ó ¿Ô½À´Ï´Ù.

/etc/pf.conf ¸¦ ±¸¼º ÁßÀε¥ À߾ȵ˴ϴÙ..

ext_if="bridge0"    # replace with actual external interface name i.e., bridge0
mgt_if="em2"        # replace with actual internal interface name i.e., em2

serverport="{ssh, http,  smtp, pop3, ftp, domain, 3389, 6881:6999,  60000:65534}"

set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Loopback interface
pass  in  quick on lo0 all

# Filtering: the implicit first two rules are
block in all
pass out all

pass  in  quick on $mgt_if all
pass  out quick on $mgt_if all

# Block everything and log it
block log on $mgt_if all
block log on $ext_if all

pass  in  on $ext_if proto { tcp, udp } from any to $ext_if port $serverport keep state
pass  out on $ext_if proto { tcp, udp } all keep state

À§¿Í °°ÀÌ ¼³Á¤À» ÇÏ¿´Áö¸¸. µÇÁö ¾Ê½À´Ï´Ù.
block in all
pass out all
¾ÈµË´Ï´Ù.

pass in all
pass out all
Àº Àߵ˴ϴÙ.

ÇÏÁö¸¸, pf ´Â ´Ù¸·°í ³ª¼­ ÇÊ¿ä ÇÑ°ÍÀ» Çϳª¾¿ ¿©´Â °Å·Î ¾Ë°í ÀÖ½À´Ï´Ù.
serverport ´Â ÇÊ¿ä Çϸé.. ´õ ¸¹Àº port ¸¦ Ãß°¡ ÇÒ»ý°¢ÀÔ´Ï´Ù.

ext_if="bridge0"  ´Â em (intel lan) Ä«µå 2ÀåÀ» bridge ·Î ¹­Àº °ÍÀÔ´Ï´Ù.
mgt_if="em2" ´Â °ü¸®¸¦ À§ÇÑ ·£Ä«µå ÀÔ´Ï´Ù.
bridge0 ´Â non-IP ÀÔ´Ï´Ù.
em2´Â IP°¡ ÇÒ´ç µÇ¾îÀÖ½À´Ï´Ù.

µµ¿Í ÁÖ¼¼¿ä.. Èæ..Èæ..
ªÀº±Û Àϼö·Ï ½ÅÁßÇÏ°Ô.


QnA
Á¦¸ñPage 4683/5680
2014-05   4946203   Á¤ÀºÁØ1
2015-12   1482877   ¹é¸Þ°¡
2007-05   5164   ÀÓ°æÈÆ
2007-07   4827   ¼º½Ãâ
2005-02   7745   ¾ÈÁ¤ÈÆ
2008-03   6290   ±è°Ç¿ì
2008-04   5396   À±Ä¡¿­
2003-08   9138   Á¶±Ù»ó
2006-06   7620   ³²¼º·æ
2006-07   5050   ÀÌ⹬
2006-04   6114   ¹Ú±âµÎ
2004-01   8114   ¼Û»óº´
2005-09   5557   À±Ä¡¿­
2007-06   4697   ¹ÎÁ¤±â
2003-05   11901   ÀÌ°æȯ
2003-11   10173   ±èÈ¿¼ö
2007-10   5307   Á¤Ã¶¼ö
2005-07   5579   ¹ÚÂùÀÏ
2003-01   11120   ¹Ú°æ¼­
2006-05   5321   ¼­°æ¿­
2004-04   8283   ¹ÚÁ¾¼®
2008-01   5534   ÀÓ½ÃÇö