- 论坛徽章:
- 0
|
spark8103 发表于 2012-03-12 09:18 ![]()
king_819能分享下你们bsd的防火墙设置不!
分享一个生产环境中的pf脚本,服务器的作用是作为squid前端缓存,squid开三个进程,pf进行前端转发
<master>为远程管理端
<web> 为后端web源端
<tools> 为备份、ftp服务器端
<squidcs> 为squid多进程端
注:脚本中的IP是进行处理过的,不是真实IP- # macros
- #int_if = "em1"
- ext_if = "em0"
- icmp_types = "echoreq"
- table <master> {202.192.14.56/29,222.102.153.92}
- table <ddos> persist
- table <gm> {220.109.120.23,201.141.105.27}
- table <web> {202.192.14.56/29,61.105.19.192/26,202.184.104.145,61.112.204.161,211.143.130.28}
- table <squidcs> {10.0.101.241,10.0.101.242,10.0.101.243}
- table <tools> {61.107.17.1,61.179.66.149}
- # options
- set block-policy return
- set loginterface $ext_if
- set limit states 60000
- # scrub
- scrub in all
- # nat/rdr
- rdr inet proto tcp to 58.201.147.105 port 80 -> <squidcs> port 60006 round-robin sticky-address
- # filter rules
- pass in quick inet from <master>
- block in quick from <ddos>
- block in all
- pass quick on lo0 all
- pass in quick inet proto tcp to lo0 port 60006
- pass in quick inet proto tcp to lo0 port 80
- pass in quick proto tcp to ($ext_if) port 80 flags S/SA synproxy state (max-src-conn 50, max-src-conn-rate 50/5, overload <ddos> flush)
- pass quick inet proto icmp all icmp-type $icmp_types
- pass out to <gm>
- pass out to <web>
- pass out to <tools>
|
|
免费注册
楼主: king_819
发表于 2012-03-12 09:18
发表于 2012-03-12 09:55
