一个写得很烂的PF规则，(双线双IP双网卡托管无局域网)，求高人们修正。

justts

首先在网上找不到针对这种情况的一个完整的示例。
环境，freebsd7.1b+PF
机器上运行着web功能和其他（略），防火墙也在本机上。
双线机房，电信/网通各一个IP，双网卡，rc.conf中默认用电信的网关。
打算实现：
1，基本的安全设置
2，各自流量进出由各自的网卡负责
3，电信网通的各自的流量大小控制由各自的网卡负责

由于实在没什么时间再研究PF手册，个人参照一些规则，弄完这个规则后一头雾水，无奈之下前来请教！

本规则暂时去掉了流量大小控制的部分，本来就够烦了，那部分晚点再讨论。

其中：蓝色字部份是我的疑问，红色字部分是标记所涉及到的关键字,有时也会不进行标记。
中括号的部分是做一点简单说明。

[定义网卡和网关]
ext_if1 = "em0"
ext_if2 = "em1"
gw_ext1 = "电信网关"
gw_ext2 = "网通网关"
ext_ifab = "{" $ext_if1 $ext_if2 "}"
loop = "lo0"
ports = "{ 21, 22, 80, 110, 443, 10005 }"      [对外开入端口]
noroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"    [安全性保留地址]
web = "{127.0.0.1}"      [web服务]
这个地方....

icmp_types = "echoreq"
set block-policy return
set optimization aggressive
set loginterface em0
set loginterface em1
问题一：此处是否需要两个全部写上（可以写成set loginterface $ext_ifab）？还是只写电信的网卡即可？

scrub in all

［把web服务重定向到127.0.0.1上］
rdr on $ext_if1 proto tcp from any to $ext_if1 port 80 -> $web port 80
rdr on $ext_if2 proto tcp from any to $ext_if2 port 80 -> $web port 80
问题二（a）：此处是否可以直接写成...to $ext_ifab port 80.......这样一句话
问题二（b）：这里的定向会不会影响我下面的关于各网卡流量由各网卡处理的那段设置？

[防数据包欺骗的设置]
antispoof for $ext_ifab inet
问题三：是否需要写两个，是分开写还是像上面这样整合写？

［防扫描的设置］
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
block in quick proto tcp all flags P
问题四：此处是否可以写成block in log quick on $ext_ifba inet proto tcp from any to any flags SF/SFRA 类似这样？

block all
block return

pass quick on $loop all

［小小安全设置］
block in quick on $ext_ifab os NMAP
block in quick on $ext_ifab from $noroute to any
block out quick on $ext_ifab from any to $noroute
问题五：这里是否也可以这样集成式的写？其实我这些东西的问题不在于集成写，而是它们是否会对后面的几点设置构成影响？

［网卡分工］
pass in quick on $ext_if1 reply-to ( $ext_if1 $gw_ext1 ) proto {tcp,udp,icmp} to any keep state
pass in quick on $ext_if2 reply-to ( $ext_if2 $gw_ext2 ) proto {tcp,udp,icmp} to any keep state
问题六（a）：reply-to 和 route-to 在这上面使用的区别？
问题六（b）：在前面用了rdr转向的情况下，这两条规则是否还有用？

［连接限制，针对ddos］
table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if1 inet proto tcp from any to $ext_if1 flags S/SA keep state \
(source-track rule,max-src-conn 80, max-src-conn-rate 15/3,max-src-states 30,overload <abusive_hosts>  flush)
pass in on $ext_if2 inet proto tcp from any to $ext_if flags S/SA keep state \
(source-track rule,max-src-conn 80, max-src-conn-rate 15/3,max-src-states 30,overload <abusive_hosts>  flush)

pass in on $ext_if1 proto tcp from any to $web port 80 flags S/SA synproxy state
pass in on $ext_if2 proto tcp from any to $web port 80 flags S/SA synproxy state

pass in quick on $ext_if1 proto {tcp,udp} from any to any port $ports keep state
pass in quick on $ext_if2 proto {tcp,udp} from any to any port $ports keep state

［留给ftp的小东西］
pass in quick proto tcp from any to any port > 60000 keep state

pass out quick on $ext_ifab all keep state

-----------------------------------------------

事实证明可以用，但是大家不要在局域网内测试，在局域网测试是不可行的，呵呵

[ 本帖最后由 justts 于 2008-10-15 10:02 编辑 ]

cnduly

这是网关的做法,不合适你的环境用!!!

justts

楼上的兄弟给个意见...

cnduly

llzqq写的这个比较合适吧~~~~~~
http://bbs.chinaunix.net/viewthr ... hlight=%B2%DF%C2%D4

一叶香

下面的正在使用的规则,如何有智能DNS配合就好.

tel_if  = "em0"
cnc_if  = "em1"
loop_if = "lo0"

gw_tel  = "121.x.x.x"
gw_cnc  = "210.y.y.y"

set optimization aggressive
set timeout { tcp.first 30, tcp.opening 5, tcp.established 1800 }

scrub in all

block all

pass quick on $loop_if all

#############################
# $tel_if
#############################
block in quick on $tel_if proto tcp all flags SF/SFRA
block in quick on $tel_if proto tcp all flags SFUP/SFRAU
block in quick on $tel_if proto tcp all flags FPU/SFRAUP
block in quick on $tel_if proto tcp all flags /SFRA
block in quick on $tel_if proto tcp all flags F/SFRA
block in quick on $tel_if proto tcp all flags U/SFRAU

# SSH,HTTP,SMTP,POP3,FTP
pass in quick on $tel_if proto tcp from $tel_if:network to any port {22,80,443,25,110,143} keep state
pass in quick on $tel_if proto tcp from $tel_if:network to any port {21,49152:65535} keep state

# Other
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto icmp from any to any icmp-type 8 code 0 keep state

pass out quick on $tel_if all keep state


############################
# $cnc_if
############################
block in quick on $cnc_if proto tcp all flags SF/SFRA
block in quick on $cnc_if proto tcp all flags SFUP/SFRAU
block in quick on $cnc_if proto tcp all flags FPU/SFRAUP
block in quick on $cnc_if proto tcp all flags /SFRA
block in quick on $cnc_if proto tcp all flags F/SFRA
block in quick on $cnc_if proto tcp all flags U/SFRAU

# HTTP,SMTP,POP3,SSH
pass in quick on $cnc_if proto tcp from $cnc_if:network to any port {22,25,110,143,80,443} keep state
pass in quick on $cnc_if proto tcp from $cnc_if:network to any port {21,49152:65535} keep state

# Other
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto icmp from any to any icmp-type 8 code 0 keep state

pass out quick on $cnc_if all keep state

justts

我的原始版本已经测试成功，谢谢上面几位的相助，
现将个人调整过的结果说下：

1，里面有几个词用错了（比如宏名字是A，但后面写的是$B），这是小问题，改过来ok。
2，里面有些过滤规则重复了，虽然没有对整体构成影响，但为了简洁，我会晚点把多的清掉。
3，我在内网测试不成功，是因为我忘了我过滤了内网-_-，低级错误，呵呵。
4，稍后完成流量限制的部分。

justts

原帖由 cnduly 于 2008-10-11 20:33 发表
这是网关的做法,不合适你的环境用!!!

嘿嘿，可以用哦..............

wangbin

感谢楼主，这可是伟大的创造啊！！大家都会用得上的。

justts

原帖由 wangbin 于 2008-10-15 02:40 发表
感谢楼主，这可是伟大的创造啊！！大家都会用得上的。

呵呵，客气客气，大家的功劳。