add 00400 divert natd ip from any to any via xl0 //natd服务启动设置 add 00001 deny log ip from any to any ipopt rr add 00002 deny log ip from any to any ipopt ts add 00003 deny log ip from any to any ipopt ssrr add 00004 deny log ip from any to any ipopt lsrr add 00005 deny tcp from any to any in tcpflags syn,fin //这5行是过滤各种扫描包 #######tcp######### add 10000 allow tcp from xx.xx.xx.xx to x.x.x.x 22 in //向Internet的xx.xx.xx.xx这个IP开放SSH服务。也就是只信任这个IP的SSH登陆。 add 10001 allow tcp from any to x.x.x.x 80 in //向整个Internet开放HTTP服务。 add 10002 allow tcp from any to x.x.x.x 25 in //向整个Internet开放smtp服务。 add 10003 allow tcp from any to x.x.x.x 110 in //向整个Internet开放pop3服务。 add 19997 check-state add 19998 allow tcp from any to any out keep-state setup add 19999 allow tcp from any to any out //这三个组合起来是允许内部网络访问出去,如果想服务器自己不和Internet进行tcp连接出去,可以把19997和19998去掉。(不影响Internet对服务器的访问) ######udp##########
