利用PF来实现多路由表

剑心通明

在FreeBSD7.1之前，要实现跟linux下的iproute2那样的功能：从哪来的数据还从哪返回，可以用PF来实现，具体方法如下：
1：rc.conf里面
设置两个ip，一个默认路由（注意此处的默认路由仅仅相对于该机器对外访问时的路由选择）
2：pf.conf
tel_if  = "em0" #
cnc_if  = "em1" #
loop_if = "lo0"
gw_tel  = "121.33.xx.xx"
gw_cnc  = "210.21.yy.yy"
set optimization aggressive
#set timeout { interval 10, frag 30 }
set timeout { tcp.first 30, tcp.opening 5, tcp.established 1800 }
#set timeout { tcp.closing 60, tcp.finwait 30, tcp.closed 30 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
scrub in all
# Block IP on the $ext_if
block in quick on {$tel_if, $cnc_if} from  to any
block all
pass quick on $loop_if all
#############################
# $tel_if
#############################
block in quick on $tel_if proto tcp all flags SF/SFRA
block in quick on $tel_if proto tcp all flags SFUP/SFRAU
block in quick on $tel_if proto tcp all flags FPU/SFRAUP
block in quick on $tel_if proto tcp all flags /SFRA
block in quick on $tel_if proto tcp all flags F/SFRA
block in quick on $tel_if proto tcp all flags U/SFRAU
# SSH,HTTP,SMTP,POP3,FTP
pass in quick on $tel_if proto tcp from $tel_if:network to any port {22,80,443,25,110,143} keep state
pass in quick on $tel_if proto tcp from $tel_if:network to any port {21,49152:65535} keep state
# Other
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto icmp from any to any icmp-type 8 code 0 keep state
pass out quick on $tel_if all keep state
############################
# $cnc_if
############################
block in quick on $cnc_if proto tcp all flags SF/SFRA
block in quick on $cnc_if proto tcp all flags SFUP/SFRAU
block in quick on $cnc_if proto tcp all flags FPU/SFRAUP
block in quick on $cnc_if proto tcp all flags /SFRA
block in quick on $cnc_if proto tcp all flags F/SFRA
block in quick on $cnc_if proto tcp all flags U/SFRAU
# Other
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto icmp from any to any icmp-type 8 code 0 keep state
pass out quick on $cnc_if all keep state


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4206/showart_1791992.html

black_fire

讨论一下相关问题哈

这个相当于策略路由吧, 有没有可能根据目的地址的端口号进行路由的选择?

比如:  到目的地址A的80端口时 通过路由A, 而到目的地址A的其它地址时, 通过路由B ?
(实际情况是 目的地址的网站被电信封掉了, 而其它资源,如ssh均可通过公网地址访问)

epai1006

收藏一下。

我要盗版

强……都是硬货！！！！！！！！！{:{:2_171:}