Translation

(itstool) path: sect2/para
This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of <application>PF</application>'s many features.
75/2350
Context English Chinese (Simplified) (zh_CN) State
Purpose 用途
<command>pfctl -e</command> <command>pfctl -e</command>
Enable <application>PF</application>. 启用 <application>PF</application>。
<command>pfctl -d</command> <command>pfctl -d</command>
Disable <application>PF</application>. 禁用 <application>PF</application>。
<command>pfctl -F all -f /etc/pf.conf</command> <command>pfctl -F all -f /etc/pf.conf</command>
Flush all <acronym>NAT</acronym>, filter, state, and table rules and reload <filename>/etc/pf.conf</filename>. 刷新所有<acronym>NAT、</acronym>筛选器、状态和表规则,然后重新加载<filename>/etc/pf.conf</filename>。
<command>pfctl -s [ rules | nat | states ]</command> <command>pfctl -s [ rules | nat | states ]</command>
Report on the filter rules, <acronym>NAT</acronym> rules, or state table. 列出 filter 规则,<acronym>NAT</acronym> 规则, 或状态表。
<command>pfctl -vnf /etc/pf.conf</command> <command>pfctl -vnf /etc/pf.conf</command>
Check <filename>/etc/pf.conf</filename> for errors, but do not load ruleset. 检查<filename>/etc/pf.conf</filename>是否存在错误,但不要加载规则集。
<package>security/sudo</package> is useful for running commands like <command>pfctl</command> that require elevated privileges. It can be installed from the Ports Collection. <package>security/sudo</package>对于运行像<command>pfctl</command>这样需要高阶权限的命令非常有用。它可以从 Ports Collection 中安装。
To keep an eye on the traffic that passes through the <application>PF</application> firewall, consider installing the <package>sysutils/pftop</package> package or port. Once installed, <application>pftop</application> can be run to view a running snapshot of traffic in a format which is similar to <citerefentry><refentrytitle>top</refentrytitle><manvolnum>1</manvolnum></citerefentry>. 要监视通过<application>PF</application>防火墙的流量,请考虑安装<package>sysutils/pftop</package>。安装后,可以运行<application>pftop</application>,以类似于<citerefentry><refentrytitle>top</refentrytitle><manvolnum>1</manvolnum></citerefentry>的格式查看当前流量状态。
<application>PF</application> Rulesets <application>PF</application>规则集
<personname> <firstname>Peter</firstname> <surname>Hansteen</surname> <othername>N. M.</othername> </personname> <contrib>Contributed by </contrib> <personname> <firstname>Peter</firstname> <surname>Hansteen</surname> <othername>N. M.</othername> </personname> <contrib>Contributed by </contrib>
This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of <application>PF</application>'s many features. 本节演示了如何创建一个自定义的规则集。本节从最简单的规则集开始,用几个例子来演示<application>PF</application>的实际应用。
The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet. To create this minimal ruleset, edit <filename>/etc/pf.conf</filename> so it looks like this: 最简单的规则集是针对一台不运行任何服务并且需要访问一个网络(可能是Internet)的计算机。要创建此最小规则集,请编辑 <filename> /etc/pf.conf </filename>,像这样:
block in all
pass out all keep state
block in all
pass out all keep state
The first rule denies all incoming traffic by default. The second rule allows connections created by this system to pass out, while retaining state information on those connections. This state information allows return traffic for those connections to pass back and should only be used on machines that can be trusted. The ruleset can be loaded with: 第一个规则默认拒绝所有传入的流量。第二个规则允许该系统创建的连接传出,同时保留这些连接的状态信息。这个状态信息允许这些连接的回传流量,并且只应在可以信任的机器上使用。该规则集可以装载的有:
<prompt>#</prompt> <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput> <prompt>#</prompt> <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput>
In addition to keeping state, <application>PF</application> provides <firstterm>lists</firstterm> and <firstterm>macros</firstterm> which can be defined for use when creating rules. Macros can include lists and need to be defined before use. As an example, insert these lines at the very top of the ruleset: 除了保持状态外,<application>PF</application>还提供了<firstterm>lists</firstterm>(列表)和<firstterm>lists</firstterm>(宏),可以在创建规则时使用。宏可以包括列表,需要在使用前定义。作为例子,在规则集的顶部插入这些行:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
<application>PF</application> understands port names as well as port numbers, as long as the names are listed in <filename>/etc/services</filename>. This example creates two macros. The first is a list of seven <acronym>TCP</acronym> port names and the second is one <acronym>UDP</acronym> port name. Once defined, macros can be used in rules. In this example, all traffic is blocked except for the connections initiated by this system for the seven specified <acronym>TCP</acronym> services and the one specified <acronym>UDP</acronym> service: <application>PF</application>能理解<filename>/etc/services</filename>中列出的端口名和端口号。这个例子创建了两个宏。第一个是七个 <acronym>TCP</acronym> 端口名的列表,第二个是一个 <acronym>UDP</acronym> 端口名。一旦定义好了,宏可以在规则中使用。在这个例子中,除了这个系统为七个指定的<acronym>TCP</acronym>服务和一个指定的<acronym>UDP</acronym>服务发起的连接外,所有的流量都将被拦截:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
block all
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
block all
pass out proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
Even though <acronym>UDP</acronym> is considered to be a stateless protocol, <application>PF</application> is able to track some state information. For example, when a <acronym>UDP</acronym> request is passed which asks a name server about a domain name, <application>PF</application> will watch for the response to pass it back. 尽管<acronym>UDP</acronym>被认为是一个无状态协议,但<application>PF</application>能够跟踪一些状态信息。例如,当传递一个<acronym>UDP</acronym>请求,询问名称服务器关于域名的请求时,<application>PF</application>会观察响应,并将其传递回来。
Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used: 每当对规则集进行编辑时,都必须加载新规则,以使这些规则生效:
<prompt>#</prompt> <userinput>pfctl -f /etc/pf.conf</userinput> <prompt>#</prompt> <userinput>pfctl -f /etc/pf.conf</userinput>
If there are no syntax errors, <command>pfctl</command> will not output any messages during the rule load. Rules can also be tested before attempting to load them: 若无语法错误,<command>pfctl</command> 在重新加载规则时不会有任何输出。规则在加载前可使用以下方法测试:
<prompt>#</prompt> <userinput>pfctl -nf /etc/pf.conf</userinput> <prompt>#</prompt> <userinput>pfctl -nf /etc/pf.conf</userinput>
Including <option>-n</option> causes the rules to be interpreted only, but not loaded. This provides an opportunity to correct any errors. At all times, the last valid ruleset loaded will be enforced until either <application>PF</application> is disabled or a new ruleset is loaded. 包含<option>-n</option>会导致规则只被解释,而不被加载。这为纠正错误提供了机会。任何时候,最后加载的有效规则集都将被执行,直到<application>PF</application>被禁用或加载新的规则集。
Adding <option>-v</option> to a <command>pfctl</command> ruleset verify or load will display the fully parsed rules exactly the way they will be loaded. This is extremely useful when debugging rules. 在<command>pfctl</command>规则集验中添加<option>-v</option>,就可以完全按照加载规则的方式显示解析过的规则。这在调试规则时非常有用。

Loading…

This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of <application>PF</application>'s many features.
本节演示了如何创建一个自定义的规则集。本节从最简单的规则集开始,用几个例子来演示<application>PF</application>的实际应用。
6 months ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Source string location
book.translate.xml:60340
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 9880