[code]cd /usr/src/sys/i386/conf/
cp GENERIC PF
ee PF
ident pf
############################################添加如下:
options SC_DISABLE_REBOOT # 关闭重启
options SMP #多CPU支持
device carp
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG
options ALTQ_CDNR
############################################
#options CPU_ENABLE_SSE #支持SSE指令集
options PERFMON #对P4以上CPU优化
options MPTABLE_FORCE_HTT #打开超线程支持
######################################删除如下:
#cpu I486_CPU
#cpu I586_CPU
#options MSDOSFS # MSDOS Filesystem #windows文件系统
#device fdc #软驱
#device atapifd # ATAPI floppy drives #软驱
#device atapist # ATAPI tape drives #磁带机
#device psm # PS/2 mouse #鼠标
############ 串口 COM #######
#device sio # 8250, 16[45]50 based serial ports
#device uart # Generic UART driver
############ 并口打印 #######
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
############ ISA 网卡 ########
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
############# 无线网卡 #########
#device wlan # 802.11 support
#device wlan_wep # 802.11 WEP support
#device wlan_ccmp # 802.11 CCMP support
#device wlan_tkip # 802.11 TKIP support
#device wlan_amrr # AMRR transmit rate control algorithm
#device wlan_scan_ap # 802.11 AP mode scanning
#device wlan_scan_sta # 802.11 STA mode scanning
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros pci/cardbus NIC's
#device ath_hal # Atheros HAL (Hardware Access Layer)
#device ath_rate_sample # SampleRate tx rate control for ath
#device awi # BayStack 660 and others
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
############# USB 鼠标、扫描 ######
#device ums # Mouse
#device ural # Ralink Technology RT2500USB wireless NICs
#device rum # Ralink Technology RT2501USB wireless NICs
#device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
############# USB 网卡 #############
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
编译内核
config PF
cd ../compile/PF
make depend
make
make install
reboot
ee /etc/rc.conf
##########添加如下
pf_enable="YES"
pf_rules="/root/script/pf/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
mkdir -p /root/script/pf
ee /root/script/pf/pf.conf
############添加如下:##########
lop_if = "lo0"
ext_if = "rl0"
ser_p = "{ 22, 80, 6954, 3306, 8080, 199, 953, 53 }"
#########拒绝所有通过#############
block drop all
pass quick on lo0 all
######### 最大并发3,每秒最多2个请求,超出则加入动态表:http_table。############
table <http_table> persist
block in quick from <http_table>
pass in quick on $ext_if all keep state (max-src-conn 3, max-src-conn-rate 2/1,overload <http_table> flush global)
#########开放端口###############
pass in on $ext_if proto tcp from any to $ext_if port $ser_p flags S/SA keep state
###########CARP 通行############
pass on { $ext_if } proto carp keep state
###########内网通行#############
pass on $ext_if from 192.168.1.0/24 to any
pass on $ext_if from any to 192.168.1.0/24
常用命令:
pfctl -e #启动PF
pfctl -d #停止PF
pfctl -nf /root/script/pf/pf.conf #检查配置文件错误
pfctl -f /root/script/pf/pf.conf #重新加载配置
pfctl -sa #查看PF的所有状态
pfctl -t http_table -T show #查看动态表
pfctl -t http_table -T add 192.168.1.X #添加一个IP到表
pfctl -t http_table -T del 192.168.1.X #从表中删除IP[/code]
