This is an old revision of the document!
Table of Contents
PF
author: Budi Ang
PF (Packet Filter) adalah firewall yang dikembangkan pertama kali oleh Daniel Hartmeier untuk OpenBSD dan menggantikan IPF yang berhubungan dengan masalah lisensi 1). Mulai dari OpenBSD 3.0, PF sudah tersedia pada base system, sekarang, FreeBSD dan DragonFlyBSD telah mengimport PF dalam base system, untuk NetBSD bisa diinstalasi melalui pkgsrc, sedangkan untuk Linux, dapat diambil di http://abstractvoid.se/pf4lin.html (experimental)
Aktivasi PF
$ sudo echo "pf=YES" > /etc/rc.conf.local $ sudo reboot
atau
$ sudo pfctl -e $ sudo ifconfig pflog0 up
Konsep Filtering di PF
dari PF host -> internet = out dari internet -> PF host = in
Mohon maaf jika tidak ada fitur forward
Macro
Macro di PF digunakan seperti variable program dalam mendefinisi interface, alamat IP, dan port, ataupun reserved word di PF.
Penggunaan Macro dapat mengurangi complexnya ruleset PF
server_if = "fxp0"
udp_port = "{ 53 123 }"
pass in on $server_if inet proto udp from any to any port $udp_port keep state
Ruleset di atas diexpand menjadi:
pass in on fxp0 inet proto udp from any to any port 53 keep state pass in on fxp0 inet proto udp from any to any port 123 keep state
Tables
Tables dapat digunakan untuk menyimpan alamat IP dan network. Penggunaan yang lain seperti block network bogon atau IIX, seperti contoh di bawah ini
table <iix> { 114.120.0.0/13, 125.166.0.0/15, 125.162.0.0/16, 125.163.0.0/16, 125.160.0.0/16, 125.161.0.0/16, 125.164.0.0/16, 125.165.0.0/16, 222.124.0.0/16, 61.94.0.0/16, 167.205.0.0/16, 202.158.0.0/17, 61.5.0.0/17, 124.195.0.0/17, 121.52.0.0/17, 119.11.128.0/17, 114.57.0.0/18, 117.102.64.0/18, 210.210.128.0/18, 207.209.192.0/18, 61.14.0.0/18, 206.182.192.0/18, 125.208.128.0/18, 203.130.192.0/18, 124.153.0.0/18, 152.118.128.0/18, 221.132.192.0/18, 152.118.192.0/18, 152.118.0.0/18, 152.118.64.0/18, 222.165.192.0/18, 202.152.0.0/18, 209.93.224.0/19, 202.173.64.0/19, 114.199.96.0/19, 202.171.0.0/19, 202.47.192.0/19, 202.169.32.0/19, 202.182.160.0/19, 117.102.224.0/19, 202.51.192.0/19, 202.149.128.0/19, 202.147.224.0/19, 202.146.224.0/19, 114.58.32.0/19, 114.58.0.0/19, 202.159.64.0/19, 202.95.128.0/19, 202.152.224.0/19, 61.247.0.0/19, 61.247.32.0/19, 114.57.64.0/19, 117.104.192.0/19, 118.98.160.0/19, 118.98.192.0/19, 118.136.0.0/19, 118.136.32.0/19, 118.136.64.0/19, 118.136.96.0/19, 118.136.128.0/19, 118.136.160.0/19, 118.136.192.0/19, 118.136.224.0/19, 118.137.0.0/19, 118.137.32.0/19, 118.137.64.0/19, 118.137.96.0/19, 118.137.128.0/19, 118.137.160.0/19, 118.137.192.0/19, 118.137.224.0/19, 124.81.0.0/19, 124.81.32.0/19, 124.81.64.0/19, 124.81.96.0/19, 124.81.128.0/19, 124.81.192.0/19, 124.81.224.0/19, 202.10.32.0/19, 202.53.224.0/19, 202.57.0.0/19, 202.73.96.0/19, 202.77.96.0/19, 202.81.32.0/19, 202.137.0.0/19, 202.138.224.0/19, 202.148.0.0/19, 202.150.64.0/19, 202.153.128.0/19, 202.154.0.0/19, 202.154.32.0/19, 202.155.0.0/19, 202.155.32.0/19, 202.155.128.0/19, 202.159.0.0/19, 202.159.32.0/19, 202.162.192.0/19, 203.128.64.0/19, 219.83.0.0/19, 219.83.32.0/19, 219.83.64.0/19, 60.253.112.0/20, 61.8.64.0/20, 114.57.96.0/20, 114.57.160.0/20, 114.141.48.0/20, 114.199.80.0/20, 116.68.160.0/20, 117.20.48.0/20, 117.103.0.0/20, 118.98.240.0/20, 119.2.64.0/20, 119.110.64.0/20, 119.235.208.0/20, 119.252.160.0/20, 121.50.128.0/20, 122.129.96.0/20, 122.129.192.0/20, 122.200.0.0/20, 124.81.176.0/20, 202.3.208.0/20, 202.6.208.0/20, 202.6.224.0/20, 202.46.64.0/20, 202.46.144.0/20, 202.47.64.0/20, 202.51.224.0/20, 202.58.64.0/20, 202.58.160.0/20, 202.59.160.0/20, 202.59.192.0/20, 202.65.112.0/20, 202.67.32.0/20, 202.69.96.0/20, 202.70.48.0/20, 202.72.208.0/20, 202.73.224.0/20, 202.77.64.0/20, 202.80.112.0/20, 202.80.208.0/20, 202.87.176.0/20, 202.93.16.0/20, 202.93.32.0/20, 202.93.128.0/20, 202.93.224.0/20, 202.123.224.0/20, 202.127.96.0/20, 202.133.80.0/20, 202.143.32.0/20, 202.145.0.0/20, 202.146.48.0/20, 202.147.192.0/20, 202.152.160.0/20, 202.152.192.0/20, 202.153.16.0/20, 202.153.240.0/20, 202.155.64.0/20, 202.155.112.0/20, 202.159.112.0/20, 202.165.32.0/20, 202.182.48.0/20, 203.78.112.0/20, 203.83.32.0/20, 203.89.16.0/20, 203.123.224.0/20, 203.153.96.0/20, 203.161.16.0/20, 203.166.192.0/20, 203.201.160.0/20, 207.83.112.0/20, 210.57.208.0/20, 210.79.208.0/20, 219.83.96.0/20, 220.157.96.0/20, 60.253.96.0/21, 61.45.224.0/21, 114.57.232.0/21, 114.134.72.0/21, 114.141.88.0/21, 116.0.0.0/21, 116.12.40.0/21, 116.50.24.0/21, 116.68.224.0/21, 116.90.208.0/21, 116.197.128.0/21, 116.254.96.0/21, 117.18.16.0/21, 117.74.120.0/21, 117.103.32.0/21, 117.103.48.0/21, 117.103.168.0/21, 119.2.40.0/21, 119.10.176.0/21, 119.82.232.0/21, 119.82.240.0/21, 119.110.80.0/21, 119.160.200.0/21, 119.235.248.0/21, 120.29.152.0/21, 121.52.136.0/21, 121.58.184.0/21, 121.100.16.0/21, 121.101.128.0/21, 121.101.184.0/21, 122.49.224.0/21, 122.128.16.0/21, 122.129.112.0/21, 122.144.0.0/21, 122.200.48.0/21, 122.200.144.0/21, 123.108.8.0/21, 124.66.160.0/21, 124.81.168.0/21, 124.158.128.0/21, 202.43.160.0/21, 202.43.176.0/21, 202.43.248.0/21, 202.46.24.0/21, 202.46.80.0/21, 202.51.16.0/21, 202.58.176.0/21, 202.62.16.0/21, 202.67.8.0/21, 202.72.192.0/21, 202.74.72.0/21, 202.87.248.0/21, 202.89.208.0/21, 202.91.8.0/21, 202.91.24.0/21, 202.93.240.0/21, 202.122.8.0/21, 202.129.184.0/21, 202.133.0.0/21, 202.134.0.0/21, 202.149.64.0/21, 202.149.80.0/21, 202.150.128.0/21, 202.153.224.0/21, 202.155.80.0/21, 202.155.104.0/21, 202.158.136.0/21, 202.159.96.0/21, 202.162.32.0/21, 202.164.216.0/21, 202.169.224.0/21, 202.169.240.0/21, 202.179.184.0/21, 202.180.0.0/21, 202.180.48.0/21, 203.77.224.0/21, 203.80.8.0/21, 203.84.136.0/21, 203.84.152.0/21, 203.123.240.0/21, 203.134.232.0/21, 203.135.176.0/21, 203.142.80.0/21, 203.153.24.0/21, 203.153.112.0/21, 203.174.8.0/21, 203.176.176.0/21, 203.190.48.0/21, 203.190.112.0/21, 203.190.184.0/21, 203.190.240.0/21, 203.191.40.0/21, 219.83.112.0/21, 220.247.168.0/21, 222.229.80.0/21, 58.65.244.0/22, 58.145.168.0/22, 60.253.104.0/22, 61.45.232.0/22, 114.30.80.0/22, 114.31.240.0/22, 116.66.200.0/22, 116.68.248.0/22, 116.90.176.0/22, 116.199.204.0/22, 117.102.160.0/22, 117.103.56.0/22, 118.98.228.0/22, 118.98.236.0/22, 119.2.48.0/22, 119.18.156.0/22, 119.82.224.0/22, 119.235.16.0/22, 119.252.132.0/22, 120.136.16.0/22, 122.102.48.0/22, 124.6.32.0/22, 124.81.164.0/22, 146.23.252.0/22, 202.2.92.0/22, 202.43.184.0/22, 202.46.0.0/22, 202.46.88.0/22, 202.51.28.0/22, 202.51.252.0/22, 202.55.164.0/22, 202.55.168.0/22, 202.62.8.0/22, 202.62.24.0/22, 202.72.200.0/22, 202.75.16.0/22, 202.75.24.0/22, 202.78.196.0/22, 202.81.4.0/22, 202.87.240.0/22, 202.93.112.0/22, 202.146.0.0/22, 202.146.128.0/22, 202.146.176.0/22, 202.149.72.0/22, 202.149.88.0/22, 202.153.236.0/22, 202.155.92.0/22, 202.155.96.0/22, 202.158.132.0/22, 202.159.108.0/22, 202.162.40.0/22, 202.173.16.0/22, 202.180.16.0/22, 203.77.208.0/22, 203.77.236.0/22, 203.77.248.0/22, 203.81.184.0/22, 203.99.96.0/22, 203.123.60.0/22, 203.123.248.0/22, 203.128.248.0/22, 203.142.68.0/22, 203.142.76.0/22, 203.160.56.0/22, 203.190.40.0/22, 219.83.120.0/22, 32.234.170.0/23, 32.234.172.0/23, 58.65.240.0/23, 60.253.108.0/23, 61.45.236.0/23, 116.66.204.0/23, 116.90.166.0/23, 116.199.202.0/23, 116.212.100.0/23, 117.102.166.0/23, 117.103.60.0/23, 118.82.0.0/23, 118.82.12.0/23, 119.235.20.0/23, 119.252.128.0/23, 121.52.134.0/23, 123.176.120.0/23, 124.158.136.0/23, 194.146.106.0/23, 202.20.106.0/23, 202.43.168.0/23, 202.43.188.0/23, 202.46.4.0/23, 202.46.14.0/23, 202.46.92.0/23, 202.46.130.0/23, 202.46.240.0/23, 202.46.252.0/23, 202.51.56.0/23, 202.51.98.0/23, 202.51.106.0/23, 202.55.160.0/23, 202.55.172.0/23, 202.58.196.0/23, 202.62.28.0/23, 202.65.236.0/23, 202.75.20.0/23, 202.78.192.0/23, 202.78.200.0/23, 202.78.204.0/23, 202.89.216.0/23, 202.89.222.0/23, 202.90.194.0/23, 202.90.198.0/23, 202.93.116.0/23, 202.129.216.0/23, 202.135.6.0/23, 202.135.134.0/23, 202.146.4.0/23, 202.146.132.0/23, 202.149.78.0/23, 202.149.92.0/23, 202.150.136.0/23, 202.153.232.0/23, 202.154.176.0/23, 202.154.184.0/23, 202.155.100.0/23, 202.158.130.0/23, 202.159.106.0/23, 202.162.46.0/23, 202.169.232.0/23, 202.169.236.0/23, 202.173.20.0/23, 202.180.8.0/23, 202.191.2.0/23, 203.31.164.0/23, 203.34.118.0/23, 203.77.214.0/23, 203.77.220.0/23, 203.77.232.0/23, 203.77.246.0/23, 203.81.190.0/23, 203.99.102.0/23, 203.123.252.0/23, 203.142.64.0/23, 203.153.120.0/23, 203.160.60.0/23, 203.189.88.0/23, 203.190.36.0/23, 203.190.46.0/23, 203.194.70.0/23, 203.223.90.0/23, 204.61.216.0/23, 206.73.208.0/23, 206.73.234.0/23, 206.73.238.0/23, 219.83.124.0/23, 32.234.169.0/24, 32.234.175.0/24, 58.65.243.0/24, 58.145.173.0/24, 58.145.175.0/24, 58.147.189.0/24, 60.253.110.0/24, 61.45.238.0/24, 114.4.0.0/24, 114.4.5.0/24, 114.4.6.0/24, 114.30.84.0/24, 116.58.197.0/24, 116.66.207.0/24, 116.68.252.0/24, 116.68.255.0/24, 116.90.163.0/24, 116.90.164.0/24, 116.212.96.0/24, 117.102.164.0/24, 118.82.14.0/24, 118.82.18.0/24, 118.82.31.0/24, 119.2.55.0/24, 119.47.88.0/24, 119.82.231.0/24, 119.252.130.0/24, 120.136.23.0/24, 121.52.129.0/24, 121.52.130.0/24, 122.102.52.0/24, 122.201.39.0/24, 123.176.122.0/24, 123.176.127.0/24, 124.81.160.0/24, 124.81.162.0/24, 124.158.138.0/24, 144.5.46.0/24, 152.158.247.0/24, 192.5.5.0/24, 192.23.186.0/24, 192.36.148.0/24, 192.92.81.0/24, 194.0.1.0/24, 194.0.2.0/24, 194.146.108.0/24, 202.14.255.0/24, 202.20.109.0/24, 202.22.31.0/24, 202.43.170.0/24, 202.43.173.0/24, 202.43.175.0/24, 202.43.190.0/24, 202.46.9.0/24, 202.46.11.0/24, 202.46.94.0/24, 202.46.129.0/24, 202.51.96.0/24, 202.51.100.0/24, 202.51.104.0/24, 202.51.109.0/24, 202.51.110.0/24, 202.51.122.0/24, 202.58.203.0/24, 202.58.204.0/24, 202.62.31.0/24, 202.65.227.0/24, 202.65.228.0/24, 202.65.238.0/24, 202.75.22.0/24, 202.75.29.0/24, 202.75.30.0/24, 202.78.195.0/24, 202.78.203.0/24, 202.78.207.0/24, 202.87.245.0/24, 202.87.247.0/24, 202.92.192.0/24, 202.92.207.0/24, 202.122.162.0/24, 202.122.165.0/24, 202.122.166.0/24, 202.135.5.0/24, 202.135.16.0/24, 202.135.23.0/24, 202.135.28.0/24, 202.135.42.0/24, 202.135.54.0/24, 202.135.129.0/24, 202.135.133.0/24, 202.135.145.0/24, 202.135.155.0/24, 202.135.161.0/24, 202.135.248.0/24, 202.146.32.0/24, 202.146.34.0/24, 202.146.47.0/24, 202.146.135.0/24, 202.146.180.0/24, 202.149.77.0/24, 202.151.9.0/24, 202.154.183.0/24, 202.154.187.0/24, 202.154.190.0/24, 202.155.88.0/24, 202.155.91.0/24, 202.155.102.0/24, 202.158.129.0/24, 202.160.254.0/24, 202.162.44.0/24, 202.167.97.0/24, 202.169.234.0/24, 202.180.10.0/24, 202.180.20.0/24, 203.14.176.0/24, 203.77.212.0/24, 203.77.216.0/24, 203.77.223.0/24, 203.77.252.0/24, 203.77.255.0/24, 203.99.100.0/24, 203.99.119.0/24, 203.99.120.0/24, 203.99.127.0/24, 203.119.13.0/24, 203.119.17.0/24, 203.123.254.0/24, 203.142.66.0/24, 203.153.122.0/24, 203.160.62.0/24, 203.163.66.0/24, 203.163.76.0/24, 203.163.81.0/24, 203.163.88.0/24, 203.163.95.0/24, 203.163.113.0/24, 203.173.89.0/24, 203.173.90.0/24, 203.174.5.0/24, 203.194.90.0/24, 203.196.90.0/24, 205.248.57.0/24, 205.248.151.0/24, 205.248.158.0/24, 206.73.79.0/24, 206.73.80.0/24, 206.73.194.0/24, 206.73.203.0/24, 206.73.205.0/24, 206.73.222.0/24, 206.73.227.0/24, 206.73.228.0/24, 206.73.240.0/24, 206.73.244.0/24, 206.73.248.0/24, 206.182.36.0/24, 207.117.234.0/24, 218.100.32.0/24 }
will be continued
Packet Filtering
Filtering untuk block atau pass packet sesuai yang didefinisikan. Ruleset di file /etc/pf.conf (default), dibaca dari atas ke bawah.
block PF host dari satu host
block in from ip.add.re.ss
block satu subnet atau lebih
block in from sub.net.ho.st/mask
block satu host, dan pass host yang lain
block in from bad.ip pass in from good.ip
Default deny adalah kebijakan yang direkomendasi sewaktu menyiapkan firewall apapun, hal ini berlaku untuk PF juga.
block in all block out all
Tambahkan keyword log, sehingga dapat melihat packet mana yang diblock oleh PF, dengan menggunakan tcpdump(8)
block in log all block out log all
Dapat disederhanakan menjadi
block log all
Catatan: jika host mempunyai >=4 NIC, semua traffic in/out di block by default.
Contoh Kasus
<server> —– [switch] —– {router}
Server menyediakan service SMTP Relay dan POP3
Policy:
- default deny
- incoming ke port 25 dan 110
- outgoing bebas
# macro
server_if = "fxp0"
lo_if = "lo0"
tcp_port = "{ 25 110 }"
ks = "keep state"
# default deny
block log all
# untuk loopback
pass quick on $lo_if all
# incoming
pass in on $server_if inet proto tcp from any to $server_if port $tcp_port $ks
pass in on $server_if inet proto tcp from $admin to $server_if port $adm_port $ks
# outgoing
pass out on $server_if all $ks