BSD use SYN,ACK filter to catch autottl

2025-01-04 07:20:35 +05:00 · 2024-03-09 12:56:36 +03:00 · 2024-03-09 12:56:36 +03:00 · d771abfc52
commit d771abfc52
parent 0a0fcbf14c
3 changed files with 27 additions and 13 deletions
--- a/docs/bsd.eng.md
+++ b/docs/bsd.eng.md
@ -354,19 +354,23 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ```

--- a/docs/bsd.txt
+++ b/docs/bsd.txt
@ -302,19 +302,23 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ------------
 pfctl -f /etc/pf.conf
--- a/docs/bsdfw.txt
+++ b/docs/bsdfw.txt
@ -85,15 +85,21 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
 pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
 pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
-pass in  quick on em0 inet6 proto tcp from <zapret6>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state