openbsd‘s pfw这样高级工具一时半会没搞清楚，还是直接修改/etc/pf.conf

openbsd‘s pfw这样高级工具一时半会没搞清楚，还是直接修改/etc/pf.conf。

其实我的目标也很简单，只是要关闭所有出入口，仅让http端口可以连入，ssh端口可以有特定的地址连入。

编辑过滤规则

#vi /etc/pf.conf

#macros
#client="{ ip1, ip2 }"
client="{ ip1 }"
 
#options
set skip on lo
 
#filter rules
block all
pass quick on lo0 all
pass in on em0 inet proto tcp from any to port http
pass in on em0 inet proto tcp from $client to port ssh

应用过滤规则

#pfctl -f /etc/pf.conf

查看规则状态
#pfctl -sr

---------------------------------------------------------------------------------------

block drop all
pass quick on lo0 all flags S/SA keep state
pass in on em0 inet proto tcp from any to any port = www flags S/SA keep state
pass in on em0 inet proto tcp from ip1 to any port = ssh flags S/SA keep state

---------------------------------------------------------------------------------------