- 论坛徽章:
- 0
|
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
ext_if1="xl0"
ext_if2="xl1"
int_if="fxp0"
lan_net="192.168.1.0/24"
ext_gw1="219.137.154.1"
ext_gw2="61.144.68.161"
tcp_services="{80,8933,62222}"
icmp_types="echoreq"
priv_nets="{127.0.0.0/8,192.168.0.1/16,172.16.0.0/12,10.0.0.0/8}"
set block-policy drop
set loginterface $ext_if1
set loginterface $ext_if2
set optimization aggressive
scrub in all
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
rdr on $ext_if1 proto tcp from any to any port 80 -> 192.168.1.241 port 808
block in from any to any
block out from any to any
pass quick on lo0 all
# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any flags S/S
A modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any
keep state
# general "pass out" rules for external interfaces
pass in on $ext_if1 inet proto tcp from any to ($ext_if1) port $tcp_services flags S/SA keep state
pass in on $ext_if1 proto tcp from any to 192.168.1.241 port 808 flags S/SA synproxy state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from ($ext_if2) to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from ($ext_if1) to any
block drop in quick on $ext_if1 from $priv_nets to any
block drop in quick on $ext_if2 from $priv_nets to any
block drop out quick on $ext_if1 from any to $priv_nets
block drop out quick on $ext_if2 from any to $priv_nets
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
block drop in quick proto {tcp,udp} from any to any port {135,139,445,1433,1434} |
|
免费注册
发表于 2005-12-22 06:13
发表于 2005-12-23 17:13