le0:连接至internet
le1:连接内部客户机
允许内部客户机访问http dns
nat on le0 from any to any -> le0 #执行NAT
pass in on le0 from le1 to le0 keep state #允许le1访问le0
pass in proto tcp from any to any port 80 keep state #允许进入80端口的数据包
pass in proto tcp from any to any port 22 keep state #允许进入22端口的数据包
pass out on le0 proto tcp from any to any port 80 keep state #允许出站访问http
pass out on le0 proto udp from any to any port 53 keep state #允许出站dns
pass out on le0 proto tcp from any to any port 53 keep state #允许出站dns
block all #拒绝全部
解决一:
nat pass on le0 from any to any -> le0
pass in on le0 from le1 to le0 keep state
pass in proto tcp from any to any port 80 keep state
pass in proto tcp from any to any port 22 keep state
pass out on le0 proto tcp from any to any port 80 keep state
pass out on le0 proto udp from any to any port 53 keep state
block all
这样的话就pass掉所有的nat数据包了,nat的包就无法过滤了。
解决二:
nat on le0 from any to any -> le0
pass in on le0 from le1 to le0 keep state
pass in proto tcp from any to any port 80 keep state
pass in proto tcp from any to any port 22 keep state
pass out on le0 proto tcp from any to any port 80 keep state
pass out on le0 proto udp from any to any port 53 keep state
这样的话就无法过滤其它的数据包了。
麻烦各位帮帮忙了!非常感谢
已搞定了
nat on le0 from any to any -> le0
block all
pass inet proto tcp from 192.168.1.0/24 to any port 80 keep state
pass inet proto udp from 192.168.1.0/24 to any port 53 keep state
pass inet proto tcp from 192.168.1.0/24 to any port 53 keep state
pass in on le0 from le1 to le0 keep state
pass in proto tcp from any to any port 80 keep state
pass in proto tcp from any to any port 22 keep state
pass out on le0 proto tcp from any to any port 80 keep state
pass out on le0 proto udp from any to any port 53 keep state
pass out on le0 proto tcp from any to any port 53 keep state
解决方法:
增加192.168.1.0/24网络去往internet的防火墙策略
nat on le0 from any to any -> le0
block all
pass inet proto tcp from 192.168.1.0/24 to any port 80 keep state
pass inet proto udp from 192.168.1.0/24 to any port 53 keep state
pass inet proto tcp from 192.168.1.0/24 to any port 53 keep state
pass in on le0 from le1 to le0 keep state
pass in proto tcp from any to any port 80 keep state
pass in proto tcp from any to any port 22 keep state
pass out on le0 proto tcp from any to any port 80 keep state
pass out on le0 proto udp from any to any port 53 keep state
pass out on le0 proto tcp from any to any port 53 keep state