*BSD PF 的一些有用的功能

从man摘录的
BLOCKING SPOOFED
TRAFFIC
     "Spoofing" is the faking of IP addresses, typically for malicious purpos-
     es.  The antispoof directive expands to a set of filter rules which will
     block all traffic with a source IP from the network(s) directly connected
     to the specified interface(s) from entering the system through any other
     interface.
     For example, the line
           antispoof for lo0
     expands to
           block drop in on ! lo0 inet from 127.0.0.1/8 to any
           block drop in on ! lo0 inet6 from ::1 to any
     For non-loopback interfaces, there are additional rules to block incoming
     packets with a source IP address identical to the interface's IP(s).  For
     example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
     netmask of 255.255.255.0, the line
           antispoof for wi0 inet
     expands to
           block drop in on ! wi0 inet from 10.0.0.0/24 to any
           block drop in inet from 10.0.0.1 to any
     Caveat: Rules created by the antispoof directive interfere with packets
     sent over loopback interfaces to local addresses.  One should pass these
     explicitly.
STATEFUL TRACKING
OPTIONS
     All three of keep state, modulate state and synproxy state support the
     following options:
     max _number_
           Limits the number of concurrent states the rule may create.  When
           this limit is reached, further packets matching the rule that would
           create state are dropped, until existing states time out.
     no-sync
           Prevent state changes for states created by this rule from appear-
           ing on the
pfsync(4)
interface.
     _timeout_ _seconds_
           Changes the timeout values used for states created by this rule.
           When the

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有