安装配置完成FreeBSD之后，我们需要配置一个防火墙来保护我们的服务器。在这里，隆重向大家推荐我们的PF防火墙。

PF防火墙是OpenBSD的一个项目，在此，向OpenBSD开发团队表示感谢，虽然从来没有用过OpenBSD，但是OpenSSH天天用，现在PF也在用了。

第一步，我们编辑pf的规则文件vim /etc/pf.conf

#Macrosmy_int = \"em0\" # Let's just trust localhost set skip on lo # By default, we will block everyone and everything coming inblock in log all # accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state # accept http sessionspass in on $my_int proto tcp from any to any port 80 keep state # accept icmp sessionspass in quick on $my_int proto icmp all keep state # Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state

第二步，编辑rc.conf文件vim /etc/rc.conf增加

pf_enable=\"YES\"pf_rules=\"/etc/pf.conf\"pflog_enable=\"YES\"pflog_logfile=\"/var/log/pf.log\"

第三步，启动pf

service pf restart

一般FreeBSD已经加载了pf.ko模块，但pflog.ko没有，我们可以手动加载  kldload pflog.ko

当然了。确认一切都正常之后，我们可以重启系统，执行reboot

下面是一些常用的命令，查看pf规则，查看当前连接等。

# pfctl -sr                 Show the current ruleset     # pfctl -ss                 Show the current state table     # pfctl -si                 Show filter stats and counters     # pfctl -sa                 Show EVERYTHING it can show

pf日志文件，我们可以用两种方式查看

查看日志文件中的日志:# tcpdump -n -e -ttt -r /var/log/pf.log观察实时的日志# tcpdump -n -e -ttt -i pflog0

上面只是基本的配置，实际在我们应用环境中，我们还需要限制并发连接数，来减轻DDOS攻击的危害

my_int = \"em0\"# Let's just trust localhostset skip on lo# By default, we will block everyone and everything coming inblock in log all# accept ssh sessionspass in on $my_int proto tcp from any to any port 22 keep state# accept http sessionstable <abusive_hosts> persistblock in log quick from <abusive_hosts>pass in on $my_int proto tcp to any \\    port 80 keep state \\    (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush)pass in on $my_int proto tcp to any \\    port 443 keep state \\    (max-src-conn 128, max-src-conn-rate 256/2, overload <abusive_hosts> flush) # accept icmp sessionspass in quick on $my_int proto icmp from any to any keep state# Outgoing traffic is OK, here we keep state so returning packets# are accepted too.pass out log proto { tcp, udp, icmp } all keep state

参考资料：

http://www.openbsd.org/faq/pf/filter.html

http://www.freebsd.org/doc/handbook/firewalls-pf.html

http://www.openbsd.org/faq/pf/index.html

http://tech.mansurovs.com/simple-freebsd-pf-firewall/

http://pf4freebsd.love2party.net/