参考资料:http://chinaunix.net/jh/29/16071.html
# Don't bug loopback
# 环路网络不做设定
pass out quick on lo0
pass in quick on lo0
# Don't bother the inside interface either
# 内网卡不做规则
pass out quick on rl1
pass in quick on rl1
# First, we deal with bogus packets.
#查阅资料 bogus包的处理 相关资料:黑客攻击原理--扫描篇(可查)
# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.
block in log quick on rl0 proto icmp from any to any icmp-type redir
block in log quick on rl0 proto tcp/udp all with short
# Block any IP spoofing atempts. (Packets "from" non-routable
# spoof攻击就是伪装为内网地址对内网主机攻击
# addresses shouldn't be coming in from the outside).
# 禁止spoof攻击,因为学校有内网地址,还应该把10.0.0.0去掉
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 0.0.0.0/8 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3 to any
block in quick on rl0 from 255.255.255.255/32 to any
# Kill all source-routed packets
# 没查资料
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr
# Don't allow non-routable packets to leave our network
# 也禁止本网卡想任何保留地址发送包包,具体还要参照当地网络情况
block out quick on rl0 from any to 192.168.0.0/16
block out quick on rl0 from any to 127.0.0.0/8
block out quick on rl0 from any to 172.16.0.0/12
block out quick on rl0 from any to 10.0.0.0/8
block out quick on rl0 from any to 0.0.0.0/8
block out quick on rl0 from any to 169.254.0.0/16
block out quick on rl0 from any to 192.0.2.0/24
block out quick on rl0 from any to 204.152.64.0/23
block out quick on rl0 from any to 224.0.0.0/3
block out quick on rl0 from any to 255.255.255.255/32
#
# Now the normal filtering rules
# 外网卡普通规则
#
# ICMP: allow incoming ping and traceroute only
#
pass in quick on rl0 proto icmp from any to any icmp-type echorep
pass in quick on rl0 proto icmp from any to any icmp-type echo
pass in quick on rl0 proto icmp from any to any icmp-type timex
pass in quick on rl0 proto icmp from any to any icmp-type unreach
block in log quick on rl0 proto icmp from any to any
# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on rl0 proto tcp from any to any port = ssh flags S keep frags keep state
# If you're not running sendmail, comment this out
pass in quick on rl0 proto tcp from any to any port = smtp flags S keep frags keep state
# If you're not running Apache, comment the next two rules out
pass in quick on rl0 proto tcp from any to any port = http flags S keep frags keep state
# If you're not using SSL with Apache (for https), comment this out
pass in quick on rl0 proto tcp from any to any port = https flags S keep frags keep state
# UDP: reject all UDP from the outside. The raudio proxy will
# insert temporary entries into the table when it sees PNA
# connections.
# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN,
# and it's rather unlikely that there will be any fragments. But
# what the hell.
#
pass out quick on rl0 proto tcp from any to any flags S keep frags keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP). Don't forget to rewrite the
# source address of the "port unreachable" message, hence -as-dest
#
block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest in log quick on rl0 proto udp from any to any
block in quick all
#
# End of file
#
by hopesfish@2004-10-15