使用IP Filter设置小型企业防火墙

核心提示： 以上为屏蔽不合法地址的输出数据pass out log on fxp0 proto tcp/udp from any to any keep statepass out log on fxp0 proto icmp all keep state以上为允许TCP 、UDP、ICMP数据包向外

以上为屏蔽不合法地址的输出数据

pass out log on fxp0 proto tcp/udp from any to any keep state
pass out log on fxp0 proto icmp all keep state
以上为允许TCP 、UDP、ICMP数据包向外发送出去，并且允许回应数据包发送回到内部网络
<CENTER><ccid_nobr>
<table width="400" border="1" cellspacing="0" cellpadding="2"
bordercolorlight = "black" bordercolordark = "#FFFFFF" align="center">
<tr>
　　<td bgcolor="e6e6e6" class="code" style="font-size:9pt">
　　<pre><ccid_code>
block in log on fxp0 from 192.168.0.0/16 to any
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from x.x.x.x/32 to any
block in log quick on fxp0 from any to x.x.x.0/32
block in log quick on fxp0 from any to x.x.x.255/32

以上为屏蔽具备内部网络地址的数据包被转发到外部网络

pass in quick on fxp0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on fxp0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state