Setup of FreeBSD + PF on 6.2

Today, websites and plug-ins often carry ARP and DDoS attacks. Originally, Ros is used as an Internet cafe router to withstand DDoS attacks, and fb6.2 + pf can only be used. fb6.1 + PF was used a few days ago, and watchdog timeout was widely used, the boss said that fb6.2 may not be used, so install the test. The following is the installation procedure. Write one operation,
CD/usr/src/sys/i386/Conf
CP gerenic pfok
EE ffok
Modify and add the following
Ident pfok
Device pf
Device pflog
Device pfsync
Options altq
Options altq_cbq
Options altq_red
Options altq_rio
Options altq_hfsc
Options altq_priq
Options altq_nopcc
Options panic_reboot_wait_time = 0
Options device_polling
Options hz= 2000
Options ipstealth
# Options random_ip_id
Options tcp_drop_synfin

Config pfok
CD/usr/src/sys/i386/compile/pfok
Make depend
Make
Make install
Reboot
 
EE/etc/sysctl. conf
Net. inet. IP. Forwarding = 1
Net. inet. IP. fastforwarding = 1
Net. inet. tcp. drop_synfin = 1
Net. inet. tcp. sendspace = 65536
Net. inet. tcp. recvspace = 65536
# Net. inet. UDP. sendspace = 65535
Net. inet. UDP. maxdgram = 65535
Net. Local. Stream. sendspace = 65535
Net. inet. tcp. rfc1323 = 1
# Net. inet. tcp. rfc1644 = 1
Net. inet. tcp. rfc3042 = 1
Net. inet. tcp. rfc3390 = 1
Kern. IPC. maxsockbuf = 2097152
Kern. maxfiles = 65536
Kern. maxfilesperproc = 32768
Kern. Polling. Enable = 1
Kerns. Polling. burst_max = 500
Kern. IPC. somaxconn = 2048
Kern. IPC. nmbclusters = 32768
Net. inet. tcp. delayed_ack = 0
Net. inet. ICMP. icmplim = 100
Net. inet. ICMP. icmplim_output = 0
Net. inet. tcp. drop_synfin = 1

EE/boot/loader. conf
Autobootdelay = "2"
 
EE/etc/rc. conf
Sendmail_enable = "NONE"
Sendmail_submit_enable = "no"
Sendmail_outbound_enable = "no"
Sendmail_msp_queue_enable = "no"
Clear_tmp_enable = "yes"
Update_motd = "no"
Tcp_drop_synfin = "yes"
# Icmp_drop_redirect = "yes"
# Icmp_log_redirect = "yes"
# Log_in_vain = "yes"
# Accounting_enable = "yes"
Pf_enable = "yes"
Pf_rules = "/etc/PF. conf"
Pf_flags = ""
# Pflog_enable = "yes"
# Pflog_logfile = "/var/log/pflog"

Here I added the pf_enable = "yes"
Uname-
FreeBSD pf.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 23 04:20:46 CST 2006 sshpf@pf.com:/usr/src/sys/i386/compile/pfok i386
 

My PF. conf

# Pfctl-e-f all-F/etc/PF. conf

# Load filtering rules again only
# Pfctl-F Rules-RF/etc/PF. conf

# Pfctl-F/etc/PF. conf # reload the PF. conf file
# Pfctl-NF/etc/PF. conf # Check whether the syntax is correct but not loaded.
# Pfctl-NF/etc/PF. conf # load only the NAT configuration file
# Pfctl-RF/etc/PF. conf # load only the firewall's filter settings

# Pfctl-Sn # display current Nat rules
# Pfctl-Sr # display current filtering rules
# Pfctl-SS # display the current package operation status
# Pfctl-Si # display the statistics of current filtered packets
# Pfctl-sa # display all statistics at the current stage

Ext_if = "rl0"
# Edu_if = ""
Int_if = "fxp0"

Ext_addr = "192.168.1.51"

Int_net = "172.16.0.0/16"
Ext_net = "192.168.0.0/16"
Loop = "{lo0, 127.0.0.1 }"
Openports = "{21, 22, 80, 88,489 9 }"
Insidemanagerips = "{172.16.0.100 }"
Insitemanageropenports = "{21, 22, 23, 24, 25, 80,489 9 }"
Priv_nets = "{127.0.0.0/8, 192.168.0.0/16,172.16 .0.0/12}" # define a private IP address that complies with RFC 1918
Tcp_services = "{22, 88,489 9, 123}" # Define Port 22,113 Service
Icmp_types = "echoreq" # define tcmp response parameters

# Down inactive connection quickly
Set Optimization aggressive

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
Scrub in all

Nat on $ ext_if from $ int_net to any-> ($ ext_if)
# Nat on $ ext_if from $ int_net to $ ext_net-> ($ ext_if)

# Web Server Map
# RDR pass on $ ext_if proto TCP from any to $ ext_if port {WWW, 3389,4899, 7745}-> $ web_server

# ---------------------------- The following anti-DoS attacks --------------------------------
# Each IP Address can have a maximum of 120 non-concurrent connections (for LAN users to access this site)
# The maximum connection speed of each IP address is less than 8 per second
# Maximum number of persistent connections per IP Address: 30
# In violation of the preceding rules, add the IP address to the <abusive_hosts> table.
Table <abusive_hosts> persist # maintains a continuous table.
Block in quick from <abusive_hosts> # block the IP address in the table
Pass in on $ int_if Inet proto TCP from any to $ int_if flags S/SA keep state \
(Source-track rule, Max-Src-Conn 100, Max-Src-Conn-rate 15/3, Max-Src-States 30, overload <abusive_hosts> flush, SRC. Track 1)

Lsassvirusport = "{445,135,139,593,512,555 4, 9996,999 5 }"
Block quick on $ int_if Inet proto TCP from any to any port $ lsassvirusport

Bittorrentport = "{512,204 9, 4662,688 0, 6881,688 2, 6883,688 4, 6885,688 6, 6887,688 8, 6889 ,\
6890,888 0, 8881,888 2, 8883,888 4, 8885,888 6, 8887,888 8, 8889,889 0, 6969,107 00, 21881 }"
Block quick on $ int_if Inet proto TCP from any to any port $ bittorrentport
Block quick on $ int_if Inet proto TCP from any port $ bittorrentport to any
Block quick on $ ext_if Inet proto TCP from any to any port $ bittorrentport
Block quick on $ ext_if Inet proto TCP from any port $ bittorrentport to any

# Gameclientports = "{4002,200 0, 3838,441 0, 4210,423 0, 5005,429 0, 10010 }"
# Gamedenyclients = "{192.168.128.0/24,192.168 .132.0/24 }"
# Gameserverips = "{204.251.15.167, 61.152.93.145 }"
# Block quick on $ int_if Inet proto TCP from $ gamedenyclients to any port $ gameclientports
# Block quick on $ ext_if from $ gameserverips to $ gamedenyclients
# Block quick on $ int_if from $ gamedenyclients to $ gameserverips

Denyserverips = "{202.108.193.21 }"
Block quick on $ int_if from any to $ denyserverips

# Lsassvirusip = "{192.168.1.194 }"
# Block quick on $ int_if from $ lsassvirusip to any