PF unter macOS Sierra blockiert den lokalen Netzwerkverkehr und lässt anderen zu
951
Harry McGovern
Ich habe auf meinem Mac Mini 2012 unter OSX 10.12.2 pf - ausgeführt. Abgesehen von einigen Kuriositäten. Ich kann mit dem Wireless-Netzwerkdrucker sprechen, aber ich kann nicht mit dem HP 2015 über Ethernet kommunizieren. Internet ist gut. Es scheint nur das lokale Netzwerk zu sein.
Ich kann mit dem anderen Office-Windows-Büro über Microsoft Remote Desktop kommunizieren, wenn ich über die Adresse der Internetschnittstelle auf den Port zugreife. ABER .. Ich kann nicht über das lokale Ethernet-Netzwerk mit ihm sprechen. Mir fehlt offensichtlich etwas in der PF-Regel, was aber.
Ich weiß, es ist PF, denn wenn ich pf mit sudo pfctl -d deaktiviere, kann ich plötzlich wieder mit ihnen reden. Oder sind beide dieser Dienst UDP?
Dies ist die pf.conf-Regelgruppe # # com.apple Ankerpunkt # set auf lo0
#not sure about these two tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" # antispoof for en0 inet antispoof for en0 inet6 antispoof for en1 inet antispoof for en1 inet6 anchor "emerging-threats" load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats" table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2" block return in log quick on en0 from <badhosts> to any block return in log quick on en1 from <badhosts> to any block return in log quick proto tcp from 174.46.142.137 to any port block return in log quick proto tcp from 115.160.167.46 to any port block return in log quick proto tcp from 185.64.106.80 to any port block return in log quick proto tcp from 185.64.106.99 to any port block return in log quick proto tcp from 185.64.106.99 to any port block return in log quick proto tcp from 185.64.106.87 to any port block return in log quick proto tcp from 69.165.77.42 to any port # Open port 465 for TCP on all interfaces pass in proto tcp from any to any port 21 pass in proto tcp from any to any port 22 pass in proto tcp from any to any port 23 pass in proto tcp from any to any port 25 pass in proto tcp from any to any port 53 pass in proto udp from any to any port 53 pass in proto tcp from any to any port 110 pass in proto tcp from any to any port 143 pass in proto tcp from any to any port 194 pass in proto tcp from any to any port 389 pass in proto tcp from any to any port 443 pass in proto tcp from any to any port 445 pass in proto tcp from any to any port 465 pass in proto tcp from any to any port 587 pass in proto tcp from any to any port 993 # pass in proto tcp from any to any port 3389 pass in proto tcp from any to any port 5900 pass in proto tcp from any to any port 6112 # pass in proto tcp from any to any port 8000 pass in proto udp from any to any port 6277 pass in proto udp from any to any port 1023 table <bruteforce> persist block quick from <bruteforce> pass in inet proto tcp to any port ssh \ flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 5/5, \ overload <bruteforce> flush global)
2 Antworten auf die Frage
1
Harry McGovern
Ich habe die Antwort gefunden. Ich glaube ich habe hinzugefügt
pass in on en0 from 192.168.0.0/24 to 192.168.0.1 pass out on en0 from 192.168.0.1 to 192.168.0.0/24 pass in on en1 from 192.168.0.0/24 to 192.168.0.1 pass out on en1 from 192.168.0.1 to 192.168.0.0/24 # pass all traffic to and from the local network. # these rules will create state entries due to the default # "keep state" option which will automatically be applied. pass in on $int_if from $lan_net pass out on $int_if to $lan_net
Könntest du deine letzte pf.conf teilen?
jakethedog vor 7 Jahren
0
Um 2 Zeilen (Pass in / out) zu vermeiden, können Sie versuchen, en0 von 192.168.0.0/24 an any zu übergeben
nbari vor 7 Jahren
0
0
Harry McGovern
Meine endgültige pf.conf-Datei lautet wie folgt. Es gibt ein paar kommentierte Optionen, auf die ich zurückkommen werde. Die ersten, Antispoof, wenn gesetzt, blockieren mich von der Verbindung zum Router-Webinterface? Die letzten sind die int_if-Sets, und ich muss sie nur definieren. Eines Tages.
# This file contains the main ruleset, which gets automatically loaded # at startup. PF will not be automatically enabled, however. Instead, # each component which utilizes PF is responsible for enabling and disabling # PF via -E and -X as documented in pfctl(8). That will ensure that PF # is disabled only when the last enable reference is released. # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. In addition, # to the anchors loaded by this file, some system services would dynamically # insert anchors into the main ruleset. These anchors will be added only when # the system service is used and would removed on termination of the service. # # See pf.conf(5) for syntax. # set loginterface en1 scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" #Only set antispoof on interfaces with an IP address. Otherwise # you will block all traffic. set skip on lo0 #antispoof for en1 inet #antispoof for en1 inet6 #antispoof for en0 inet #antispoof for en0 inet6 # # com.apple anchor point # dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" anchor "emerging-threats" load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats" table <badhosts> persist file "/etc/badguys1" file "/etc/badguys2" block on en1 from <badhosts> to any block on en0 from <badhosts> to any block return in log quick on en1 from <badhosts> to any block return in log quick proto tcp from 174.46.142.137 to any port block return in log quick proto tcp from 115.160.167.46 to any port block return in log quick proto tcp from 185.64.106.80 to any port block return in log quick proto tcp from 185.64.106.99 to any port block return in log quick proto tcp from 185.64.106.99 to any port block return in log quick proto tcp from 185.64.106.87 to any port block return in log quick proto tcp from 69.165.77.42 to any port block return in log quick proto tcp from 191.96.249.61 to any port block return in log quick proto tcp from 191.96.249.26 to any port block return in log quick proto tcp from 191.96.0.0/24 to any # Open port 465 for TCP on all interfaces pass in proto tcp from any to any port 21 pass in proto tcp from any to any port 22 pass in proto tcp from any to any port 23 pass in proto tcp from any to any port 25 pass in proto tcp from any to any port 53 pass in proto udp from any to any port 53 pass in proto tcp from any to any port 110 pass in proto tcp from any to any port 143 pass in proto tcp from any to any port 194 pass in proto tcp from any to any port 389 pass in proto tcp from any to any port 443 pass in proto tcp from any to any port 445 pass in proto tcp from any to any port 465 pass in proto tcp from any to any port 587 pass in proto tcp from any to any port 993 pass in proto tcp from any to any port 5900 pass in proto tcp from any to any port 6112 pass in proto udp from any to any port 6277 pass in proto udp from any to any port 1023 # pass in proto tcp from any to any port 8000 table <bruteforce> persist block quick from <bruteforce> pass in inet proto tcp to any port ssh \ flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 5/5, \ overload <bruteforce> flush global) pass in on en0 from 192.168.0.0/24 to 192.168.0.1 pass out on en0 from 192.168.0.1 to 192.168.0.0/24 pass in on en1 from 192.168.0.0/24 to 192.168.0.1 pass out on en1 from 192.168.0.1 to 192.168.0.0/24 # pass all traffic to and from the local network. # these rules will create state entries due to the default # "keep state" option which will automatically be applied.