- 论坛徽章:
- 0
|
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="tun0"
int_if="rl0"
ext_net="rl1"
modem="192.168.42.254"
lan_net="192.168.1.0/24"
Admin="{192.168.1.25,192.168.1.15,192.168.1.254}"
ports="{80,443,110,25,1863}"
smsport="{9900,9901,9902,22223}"
smshost="{192.168.1.103}"
# --- Define Table
table <leader> persist file "/etc/leader_user"
table <software> persist file "/etc/software_user"
table <message> persist file "/etc/message.block"
table <other> persist file "/etc/other.block"
table <working> persist file "/etc/working_user"
table <test> persist file "/etc/test_user"
# --- Option
set block-policy drop
set loginterface $ext_if
scrub in all
# --- NAT
nat on $ext_if from $Admin -> ($ext_if:0)
nat on $ext_if from <software> -> ($ext_if:0)
nat on $ext_if inet proto tcp from <leader> to any port $ports -> ($ext_if:0)
nat on $ext_if inet proto udp from <leader> to any port = 53 -> ($ext_if:0)
nat on $ext_if inet proto icmp from <leader> to any -> ($ext_if:0)
nat on $ext_if inet proto udp from <working> to any port = 53 -> ($ext_if:0)
nat on $ext_if inet proto icmp from <working> to any -> ($ext_if:0)
nat on $ext_if inet proto tcp from $smshost to any port $smsport ->($ext_if:0)
# --- Redirection
rdr on $ext_if proto tcp from any to $ext_if port 80 -> 192.168.1.3 port 80
rdr on $int_if proto tcp from $Admin to $int_if port 8888 -> $modem port 80
#rdr on $ext_if proto tcp from any to $ext_if port 4662 -> 192.168.1.15 port 4662
#rdr on $ext_if proto udp from any to $ext_if port 4672 -> 192.168.1.15 port 4672
rdr on $int_if proto tcp from $Admin to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from <software> to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from <working> to any port 80 -> 192.168.1.1 port 8025
# --- Block All
block out on $ext_if from $lan_net to any
block in on $ext_if from any to $lan_net
block out on $ext_net from $lan_net to any
block in on $ext_net from any to $lan_net
pass quick on lo0 all
# ---- lele8
pass in on $ext_if proto tcp from any to 192.168.1.3 port 80 keep state
pass in on $ext_if proto tcp from any to 192.168.1.15 port 4662 keep state
pass in on $ext_if proto udp from any to 192.168.1.15 port 4672 keep state
# ---- Manager SSH
block in on $int_if proto tcp from $lan_net to $int_if port 22
pass in on $int_if proto tcp from $Admin to $int_if port 22 keep state
# ---- Manager SNMP
block in on $int_if proto udp from $lan_net to $int_if port 161
pass in on $int_if proto udp from $Admin to $int_if port 161 keep state
# --- Pass Administrator
pass out on $ext_if from $Admin to any keep state
pass in on $ext_if proto tcp from any to $modem port 80 keep state
# --- Pass Table <software>
pass out on $ext_if from <software> to any keep state
# --- Pass Table <leader>
block out quick on $ext_if from <leader> to any
pass out on $ext_if proto tcp from <leader> to any port $ports keep state
block on $ext_if from <leader> to <message>
block on $ext_if from <leader> to <other>
block on $int_if from <leader> to <message>
block on $int_if from <leader> to <other>
# --- Pass SMS
pass out on $ext_if proto tcp from $smshost to any port $smsport keep state
# --- Test
block out quick on $ext_if from <working> to any
pass out on $ext_if proto tcp from <working> to any port $ports keep state |
|
免费注册
发表于 2005-12-10 09:27
发表于 2005-12-10 09:28