Differences

This shows you the differences between two versions of the page.

--- coreprojects:pf [2005/10/19 05:31] – bang
+++ coreprojects:pf [2025/10/25 17:09] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+====== PF ======
+//author: [[budi.ang | Budi Ang]]//
+''PF'' (Packet Filter) adalah firewall yang dikembangkan pertama kali oleh [[http://www.benzedrine.cx/dhartmei.html | Daniel Hartmeier]] untuk OpenBSD dan menggantikan [[http://coombs.anu.edu.au/ipfilter/ | IPF]] yang berhubungan dengan masalah lisensi ((http://slashdot.org/article.pl?sid=01/05/30/124255)). Mulai dari [[http://www.OpenBSD.org | OpenBSD]] [[http://www.OpenBSD.org/30.html | 3.0]], ''PF'' sudah tersedia pada ''base system'', sekarang, [[http://www.FreeBSD.org | FreeBSD]] dan [[http://www.DragonFlyBSD.org | DragonFlyBSD]] telah mengimport ''PF'' dalam ''base system'', untuk [[http://www.NetBSD.org | NetBSD]] bisa diinstalasi melalui [[http://nedbsd.nl/~ppostma/pf/ | pkgsrc]], sedangkan untuk ''Linux'', dapat diambil di http://abstractvoid.se/pf4lin.html (experimental)
+===== Aktivasi PF =====
+<code>
+$ sudo echo "pf=YES" > /etc/rc.conf.local
+$ sudo reboot
+</code>
+atau
+<code>
+$ sudo pfctl -e
+$ sudo ifconfig pflog0 up
+</code>
+untuk menonaktifkan pf di gunakan perintah berikut
+<code>
+pfctl -d
+</code>
+beberapa perintah pfctl yang sering digunakan
+<code>
+# pfctl -f /etc/pf.conf    Memuat file konfigurasi pf
+# pfctl -nf /etc/pf.conf   Memparsing akan tetapi tidak menjalankanya
+# pfctl -Nf /etc/pf.conf   Manya memuat rules nat
+# pfctl -Rf /etc/pf.conf   Hanya memuat rules filter
+# pfctl -sn                Menampilkan rules NAT
+# pfctl -sr                Menampilkan rules filter
+# pfctl -ss                Menampilkan tables stat
+# pfctl -sa                Menampilkan semuanya yang bisa di tampilkan
+</code>
+===== Konsep Filtering di PF======
+<code>
+dari PF host -> internet = out
+dari internet -> PF host = in
+</code>
+Mohon maaf jika tidak ada fitur ''forward''
+==== Macro ====
+''Macro'' di ''PF'' digunakan seperti variable program dalam mendefinisi interface, alamat IP, dan port, ataupun ''reserved word'' di ''PF''.
+Penggunaan ''Macro'' dapat mengurangi ''complex''nya ruleset ''PF''
+<code>
+server_if = "fxp0"
+udp_port = "{ 53 123 }"
+pass in on $server_if inet proto udp from any to any port $udp_port keep state
+</code>
+Ruleset di atas di''expand'' menjadi:
+<code>
+pass in on fxp0 inet proto udp from any to any port 53 keep state
+pass in on fxp0 inet proto udp from any to any port 123 keep state
+</code>
+==== Tables ====
+''Tables'' dapat digunakan untuk menyimpan alamat IP dan network. Penggunaan yang lain seperti ''block'' [[http://www.cymru.com/Documents/bogon-list.html | network bogon ]] atau IIX, seperti contoh di bawah ini
+<code>
+table <iix> { 114.120.0.0/13, 125.166.0.0/15, 125.162.0.0/16, 125.163.0.0/16, 125.160.0.0/16, 125.161.0.0/16, 125.164.0.0/16, 125.165.0.0/16, 222.124.0.0/16, 61.94.0.0/16, 167.205.0.0/16, 202.158.0.0/17, 61.5.0.0/17, 124.195.0.0/17, 121.52.0.0/17, 119.11.128.0/17, 114.57.0.0/18, 117.102.64.0/18, 210.210.128.0/18, 207.209.192.0/18, 61.14.0.0/18, 206.182.192.0/18, 125.208.128.0/18, 203.130.192.0/18, 124.153.0.0/18, 152.118.128.0/18, 221.132.192.0/18, 152.118.192.0/18, 152.118.0.0/18, 152.118.64.0/18, 222.165.192.0/18, 202.152.0.0/18, 209.93.224.0/19, 202.173.64.0/19, 114.199.96.0/19, 202.171.0.0/19, 202.47.192.0/19, 202.169.32.0/19, 202.182.160.0/19, 117.102.224.0/19, 202.51.192.0/19, 202.149.128.0/19, 202.147.224.0/19, 202.146.224.0/19, 114.58.32.0/19, 114.58.0.0/19, 202.159.64.0/19, 202.95.128.0/19, 202.152.224.0/19, 61.247.0.0/19, 61.247.32.0/19, 114.57.64.0/19, 117.104.192.0/19, 118.98.160.0/19, 118.98.192.0/19, 118.136.0.0/19, 118.136.32.0/19, 118.136.64.0/19, 118.136.96.0/19, 118.136.128.0/19, 118.136.160.0/19, 118.136.192.0/19, 118.136.224.0/19, 118.137.0.0/19, 118.137.32.0/19, 118.137.64.0/19, 118.137.96.0/19, 118.137.128.0/19, 118.137.160.0/19, 118.137.192.0/19, 118.137.224.0/19, 124.81.0.0/19, 124.81.32.0/19, 124.81.64.0/19, 124.81.96.0/19, 124.81.128.0/19, 124.81.192.0/19, 124.81.224.0/19, 202.10.32.0/19, 202.53.224.0/19, 202.57.0.0/19, 202.73.96.0/19, 202.77.96.0/19, 202.81.32.0/19, 202.137.0.0/19, 202.138.224.0/19, 202.148.0.0/19, 202.150.64.0/19, 202.153.128.0/19, 202.154.0.0/19, 202.154.32.0/19, 202.155.0.0/19, 202.155.32.0/19, 202.155.128.0/19, 202.159.0.0/19, 202.159.32.0/19, 202.162.192.0/19, 203.128.64.0/19, 219.83.0.0/19, 219.83.32.0/19, 219.83.64.0/19, 60.253.112.0/20, 61.8.64.0/20, 114.57.96.0/20, 114.57.160.0/20, 114.141.48.0/20, 114.199.80.0/20, 116.68.160.0/20, 117.20.48.0/20, 117.103.0.0/20, 118.98.240.0/20, 119.2.64.0/20, 119.110.64.0/20, 119.235.208.0/20, 119.252.160.0/20, 121.50.128.0/20, 122.129.96.0/20, 122.129.192.0/20, 122.200.0.0/20, 124.81.176.0/20, 202.3.208.0/20, 202.6.208.0/20, 202.6.224.0/20, 202.46.64.0/20, 202.46.144.0/20, 202.47.64.0/20, 202.51.224.0/20, 202.58.64.0/20, 202.58.160.0/20, 202.59.160.0/20, 202.59.192.0/20, 202.65.112.0/20, 202.67.32.0/20, 202.69.96.0/20, 202.70.48.0/20, 202.72.208.0/20, 202.73.224.0/20, 202.77.64.0/20, 202.80.112.0/20, 202.80.208.0/20, 202.87.176.0/20, 202.93.16.0/20, 202.93.32.0/20, 202.93.128.0/20, 202.93.224.0/20, 202.123.224.0/20, 202.127.96.0/20, 202.133.80.0/20, 202.143.32.0/20, 202.145.0.0/20, 202.146.48.0/20, 202.147.192.0/20, 202.152.160.0/20, 202.152.192.0/20, 202.153.16.0/20, 202.153.240.0/20, 202.155.64.0/20, 202.155.112.0/20, 202.159.112.0/20, 202.165.32.0/20, 202.182.48.0/20, 203.78.112.0/20, 203.83.32.0/20, 203.89.16.0/20, 203.123.224.0/20, 203.153.96.0/20, 203.161.16.0/20, 203.166.192.0/20, 203.201.160.0/20, 207.83.112.0/20, 210.57.208.0/20, 210.79.208.0/20, 219.83.96.0/20, 220.157.96.0/20, 60.253.96.0/21, 61.45.224.0/21, 114.57.232.0/21, 114.134.72.0/21, 114.141.88.0/21, 116.0.0.0/21, 116.12.40.0/21, 116.50.24.0/21, 116.68.224.0/21, 116.90.208.0/21, 116.197.128.0/21, 116.254.96.0/21, 117.18.16.0/21, 117.74.120.0/21, 117.103.32.0/21, 117.103.48.0/21, 117.103.168.0/21, 119.2.40.0/21, 119.10.176.0/21, 119.82.232.0/21, 119.82.240.0/21, 119.110.80.0/21, 119.160.200.0/21, 119.235.248.0/21, 120.29.152.0/21, 121.52.136.0/21, 121.58.184.0/21, 121.100.16.0/21, 121.101.128.0/21, 121.101.184.0/21, 122.49.224.0/21, 122.128.16.0/21, 122.129.112.0/21, 122.144.0.0/21, 122.200.48.0/21, 122.200.144.0/21, 123.108.8.0/21, 124.66.160.0/21, 124.81.168.0/21, 124.158.128.0/21, 202.43.160.0/21, 202.43.176.0/21, 202.43.248.0/21, 202.46.24.0/21, 202.46.80.0/21, 202.51.16.0/21, 202.58.176.0/21, 202.62.16.0/21, 202.67.8.0/21, 202.72.192.0/21, 202.74.72.0/21, 202.87.248.0/21, 202.89.208.0/21, 202.91.8.0/21, 202.91.24.0/21, 202.93.240.0/21, 202.122.8.0/21, 202.129.184.0/21, 202.133.0.0/21, 202.134.0.0/21, 202.149.64.0/21, 202.149.80.0/21, 202.150.128.0/21, 202.153.224.0/21, 202.155.80.0/21, 202.155.104.0/21, 202.158.136.0/21, 202.159.96.0/21, 202.162.32.0/21, 202.164.216.0/21, 202.169.224.0/21, 202.169.240.0/21, 202.179.184.0/21, 202.180.0.0/21, 202.180.48.0/21, 203.77.224.0/21, 203.80.8.0/21, 203.84.136.0/21, 203.84.152.0/21, 203.123.240.0/21, 203.134.232.0/21, 203.135.176.0/21, 203.142.80.0/21, 203.153.24.0/21, 203.153.112.0/21, 203.174.8.0/21, 203.176.176.0/21, 203.190.48.0/21, 203.190.112.0/21, 203.190.184.0/21, 203.190.240.0/21, 203.191.40.0/21, 219.83.112.0/21, 220.247.168.0/21, 222.229.80.0/21, 58.65.244.0/22, 58.145.168.0/22, 60.253.104.0/22, 61.45.232.0/22, 114.30.80.0/22, 114.31.240.0/22, 116.66.200.0/22, 116.68.248.0/22, 116.90.176.0/22, 116.199.204.0/22, 117.102.160.0/22, 117.103.56.0/22, 118.98.228.0/22, 118.98.236.0/22, 119.2.48.0/22, 119.18.156.0/22, 119.82.224.0/22, 119.235.16.0/22, 119.252.132.0/22, 120.136.16.0/22, 122.102.48.0/22, 124.6.32.0/22, 124.81.164.0/22, 146.23.252.0/22, 202.2.92.0/22, 202.43.184.0/22, 202.46.0.0/22, 202.46.88.0/22, 202.51.28.0/22, 202.51.252.0/22, 202.55.164.0/22, 202.55.168.0/22, 202.62.8.0/22, 202.62.24.0/22, 202.72.200.0/22, 202.75.16.0/22, 202.75.24.0/22, 202.78.196.0/22, 202.81.4.0/22, 202.87.240.0/22, 202.93.112.0/22, 202.146.0.0/22, 202.146.128.0/22, 202.146.176.0/22, 202.149.72.0/22, 202.149.88.0/22, 202.153.236.0/22, 202.155.92.0/22, 202.155.96.0/22, 202.158.132.0/22, 202.159.108.0/22, 202.162.40.0/22, 202.173.16.0/22, 202.180.16.0/22, 203.77.208.0/22, 203.77.236.0/22, 203.77.248.0/22, 203.81.184.0/22, 203.99.96.0/22, 203.123.60.0/22, 203.123.248.0/22, 203.128.248.0/22, 203.142.68.0/22, 203.142.76.0/22, 203.160.56.0/22, 203.190.40.0/22, 219.83.120.0/22, 32.234.170.0/23, 32.234.172.0/23, 58.65.240.0/23, 60.253.108.0/23, 61.45.236.0/23, 116.66.204.0/23, 116.90.166.0/23, 116.199.202.0/23, 116.212.100.0/23, 117.102.166.0/23, 117.103.60.0/23, 118.82.0.0/23, 118.82.12.0/23, 119.235.20.0/23, 119.252.128.0/23, 121.52.134.0/23, 123.176.120.0/23, 124.158.136.0/23, 194.146.106.0/23, 202.20.106.0/23, 202.43.168.0/23, 202.43.188.0/23, 202.46.4.0/23, 202.46.14.0/23, 202.46.92.0/23, 202.46.130.0/23, 202.46.240.0/23, 202.46.252.0/23, 202.51.56.0/23, 202.51.98.0/23, 202.51.106.0/23, 202.55.160.0/23, 202.55.172.0/23, 202.58.196.0/23, 202.62.28.0/23, 202.65.236.0/23, 202.75.20.0/23, 202.78.192.0/23, 202.78.200.0/23, 202.78.204.0/23, 202.89.216.0/23, 202.89.222.0/23, 202.90.194.0/23, 202.90.198.0/23, 202.93.116.0/23, 202.129.216.0/23, 202.135.6.0/23, 202.135.134.0/23, 202.146.4.0/23, 202.146.132.0/23, 202.149.78.0/23, 202.149.92.0/23, 202.150.136.0/23, 202.153.232.0/23, 202.154.176.0/23, 202.154.184.0/23, 202.155.100.0/23, 202.158.130.0/23, 202.159.106.0/23, 202.162.46.0/23, 202.169.232.0/23, 202.169.236.0/23, 202.173.20.0/23, 202.180.8.0/23, 202.191.2.0/23, 203.31.164.0/23, 203.34.118.0/23, 203.77.214.0/23, 203.77.220.0/23, 203.77.232.0/23, 203.77.246.0/23, 203.81.190.0/23, 203.99.102.0/23, 203.123.252.0/23, 203.142.64.0/23, 203.153.120.0/23, 203.160.60.0/23, 203.189.88.0/23, 203.190.36.0/23, 203.190.46.0/23, 203.194.70.0/23, 203.223.90.0/23, 204.61.216.0/23, 206.73.208.0/23, 206.73.234.0/23, 206.73.238.0/23, 219.83.124.0/23, 32.234.169.0/24, 32.234.175.0/24, 58.65.243.0/24, 58.145.173.0/24, 58.145.175.0/24, 58.147.189.0/24, 60.253.110.0/24, 61.45.238.0/24, 114.4.0.0/24, 114.4.5.0/24, 114.4.6.0/24, 114.30.84.0/24, 116.58.197.0/24, 116.66.207.0/24, 116.68.252.0/24, 116.68.255.0/24, 116.90.163.0/24, 116.90.164.0/24, 116.212.96.0/24, 117.102.164.0/24, 118.82.14.0/24, 118.82.18.0/24, 118.82.31.0/24, 119.2.55.0/24, 119.47.88.0/24, 119.82.231.0/24, 119.252.130.0/24, 120.136.23.0/24, 121.52.129.0/24, 121.52.130.0/24, 122.102.52.0/24, 122.201.39.0/24, 123.176.122.0/24, 123.176.127.0/24, 124.81.160.0/24, 124.81.162.0/24, 124.158.138.0/24, 144.5.46.0/24, 152.158.247.0/24, 192.5.5.0/24, 192.23.186.0/24, 192.36.148.0/24, 192.92.81.0/24, 194.0.1.0/24, 194.0.2.0/24, 194.146.108.0/24, 202.14.255.0/24, 202.20.109.0/24, 202.22.31.0/24, 202.43.170.0/24, 202.43.173.0/24, 202.43.175.0/24, 202.43.190.0/24, 202.46.9.0/24, 202.46.11.0/24, 202.46.94.0/24, 202.46.129.0/24, 202.51.96.0/24, 202.51.100.0/24, 202.51.104.0/24, 202.51.109.0/24, 202.51.110.0/24, 202.51.122.0/24, 202.58.203.0/24, 202.58.204.0/24, 202.62.31.0/24, 202.65.227.0/24, 202.65.228.0/24, 202.65.238.0/24, 202.75.22.0/24, 202.75.29.0/24, 202.75.30.0/24, 202.78.195.0/24, 202.78.203.0/24, 202.78.207.0/24, 202.87.245.0/24, 202.87.247.0/24, 202.92.192.0/24, 202.92.207.0/24, 202.122.162.0/24, 202.122.165.0/24, 202.122.166.0/24, 202.135.5.0/24, 202.135.16.0/24, 202.135.23.0/24, 202.135.28.0/24, 202.135.42.0/24, 202.135.54.0/24, 202.135.129.0/24, 202.135.133.0/24, 202.135.145.0/24, 202.135.155.0/24, 202.135.161.0/24, 202.135.248.0/24, 202.146.32.0/24, 202.146.34.0/24, 202.146.47.0/24, 202.146.135.0/24, 202.146.180.0/24, 202.149.77.0/24, 202.151.9.0/24, 202.154.183.0/24, 202.154.187.0/24, 202.154.190.0/24, 202.155.88.0/24, 202.155.91.0/24, 202.155.102.0/24, 202.158.129.0/24, 202.160.254.0/24, 202.162.44.0/24, 202.167.97.0/24, 202.169.234.0/24, 202.180.10.0/24, 202.180.20.0/24, 203.14.176.0/24, 203.77.212.0/24, 203.77.216.0/24, 203.77.223.0/24, 203.77.252.0/24, 203.77.255.0/24, 203.99.100.0/24, 203.99.119.0/24, 203.99.120.0/24, 203.99.127.0/24, 203.119.13.0/24, 203.119.17.0/24, 203.123.254.0/24, 203.142.66.0/24, 203.153.122.0/24, 203.160.62.0/24, 203.163.66.0/24, 203.163.76.0/24, 203.163.81.0/24, 203.163.88.0/24, 203.163.95.0/24, 203.163.113.0/24, 203.173.89.0/24, 203.173.90.0/24, 203.174.5.0/24, 203.194.90.0/24, 203.196.90.0/24, 205.248.57.0/24, 205.248.151.0/24, 205.248.158.0/24, 206.73.79.0/24, 206.73.80.0/24, 206.73.194.0/24, 206.73.203.0/24, 206.73.205.0/24, 206.73.222.0/24, 206.73.227.0/24, 206.73.228.0/24, 206.73.240.0/24, 206.73.244.0/24, 206.73.248.0/24, 206.182.36.0/24, 207.117.234.0/24, 218.100.32.0/24 }
+</code>
+**will be continued**
+==== Packet Filtering ====
+Filtering untuk ''block'' atau ''pass'' packet sesuai yang didefinisikan. ''Ruleset'' di file /etc/pf.conf (default), dibaca dari atas ke bawah.
+''block'' ''PF'' host dari satu host
+<code>
+block in from ip.add.re.ss
+</code>
+''block'' satu subnet atau lebih
+<code>
+block in from sub.net.ho.st/mask
+</code>
+''block'' satu host, dan ''pass'' host yang lain
+<code>
+block in from bad.ip
+pass in from good.ip
+</code>
+''Default deny'' adalah kebijakan yang direkomendasi sewaktu menyiapkan firewall apapun, hal ini berlaku untuk ''PF'' juga.
+<code>
+block in all
+block out all
+</code>
+Tambahkan keyword ''log'', sehingga dapat melihat packet mana yang diblock oleh ''PF'', dengan menggunakan ''tcpdump(8)''
+<code>
+block in  log all
+block out log all
+</code>
+Dapat disederhanakan menjadi
+<code>
+block log all
+</code>
+Catatan: jika host mempunyai >=4 NIC, semua traffic in/out di block by default.
+==== Contoh Kasus ====
+<server> ----- [switch] ----- {router}
+Server menyediakan service SMTP Relay dan POP3
+Policy:
+  * default deny
+  * incoming ke port 25 dan 110
+  * outgoing bebas
+<code>
+# macro
+server_if = "fxp0"
+lo_if = "lo0"
+tcp_port = "{ 25 110 }"
+ks = "keep state"
+# default deny
+block log all
+# untuk loopback
+pass quick on $lo_if all
+# incoming
+pass in on $server_if inet proto tcp from any    to $server_if port $tcp_port $ks
+pass in on $server_if inet proto tcp from $admin to $server_if port $adm_port $ks
+# outgoing
+pass out on $server_if all $ks
+</code>
+===== Referensi =====
+  * http://openbsd.cbn.net.id/faq/\\
+  * http://www.benzedrine.cx/pf.html\\
+  * http://openbsd.cbn.net.id/faq/pf/\\
+  * http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.7\\
+  * http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.7\\
+  * https://solarflux.org/pf/\\
+  * http://www.thedeepsky.com/howto/newbie_pf_guide.php