block out log on fxp0 from any to 192.168.0.0/16 block out log quick on fxp0 from any to 0.0.0.0/8 block out log quick on fxp0 from any to 169.254.0.0/8 block out log quick on fxp0 from any to 10.0.0.0/8 block out log quick on fxp0 from any to 127.16.0.0/12 block out log quick on fxp0 from any to 127.0.0.0/8 block out log quick on fxp0 from any to 192.0.2.0/24 block out log quick on fxp0 from any to 204.152.64.0/23 block out log quick on fxp0 from any to 224.0.0.0/3 以上为屏蔽不合法地址的输出数据
pass out log on fxp0 proto tcp/udp from any to any keep state pass out log on fxp0 proto icmp all keep state 以上为允许TCP 、UDP、ICMP数据包向外发送出去,并且允许回应数据包发送回到内部网络
block in log on fxp0 from 192.168.0.0/16 to any block in log quick on fxp0 from 10.0.0.0/8 to any block in log quick on fxp0 from 172.16.0.0/12 to any block in log quick on fxp0 from 127.0.0.0/8 to any block in log quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from 169.254.0.0/16 to any block in log quick on fxp0 from 224.0.0.0/3 to any block in log quick on fxp0 from 204.152.64.0/23 to any block in log quick on fxp0 from x.x.x.x/32 to any block in log quick on fxp0 from any to x.x.x.0/32 block in log quick on fxp0 from any to x.x.x.255/32 以上为屏蔽具备内部网络地址的数据包被转发到外部网络
pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state 以上为允许www和ftp进入,并且允许对ftp数据端口的数据进行转发
block in quick on fxp0 all 禁止其他的连接进入fxp0
block in log quick on fxp0 proto icmp from any to any icmp-type redir block in log quick on fxp0 proto icmp from any to any block in log quick on fxp0 proto icmp from any to any icmp-type echo
