免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 操作系统 BSD 一天一夜未睡觉,拜请高人指点。
最近访问板块 发新帖
查看: 1833 | 回复: 5
打印 上一主题 下一主题

一天一夜未睡觉,拜请高人指点。 [复制链接]

copico

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2005-12-22 17:28 |只看该作者 |倒序浏览
ext_if1="xl0"
ext_if2="xl1"
int_if="fxp0"
lan_net="192.168.1.0/24"
ext_gw1="219.137.154.1"
ext_gw2="61.144.68.161"
ip_add="{192.168.1.0}"
tcp_services="{80,8933,62222}"
icmp_types="echoreq"
priv_nets="{127.0.0.0/8,192.168.0.1/16,172.16.0.0/12,10.0.0.0/8}"

set block-policy drop
set loginterface $ext_if1
set loginterface $ext_if2
set optimization aggressive

scrub in all
altq on $ext_if1 cbq bandwidth 100% queue {std,ftp}
altq on $ext_if2 cbq bandwidth 100% queue {std,ftp}
queue std bandwidth  80% cbq(default)
queue ftp bandwidth 50Kb priority 3 cbq



nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)

rdr on $ext_if1 proto tcp from any to $ext_if1 port 80  -> 192.168.1.241 port 808

block in from any to any
block out from any to any
pass quick on lo0 all

# pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any flags S/S
A modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any
keep state
# general "pass out" rules for external interfaces

pass in on $ext_if1 inet proto tcp from any to ($ext_if1) port $tcp_services flags S/SA keep state
pass in on $ext_if1 proto tcp from any to 192.168.1.241 port 808 flags S/SA synproxy state
#pass out  proto tcp from any to $ext_if1 port ftp flags S/SA synproxy state queue ftp
#pass out  proto tcp from any to $ext_if2 port ftp flags S/SA synproxy state queue ftp
#pass out proto tcp from any to $ext_if1 port >2080 flags S/SA synproxy state queue http
#pass out proto tcp from any to $ext_if2 port >2080 flags S/SA synproxy state queue http

#pass from any to any flags S/SA synproxy state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from ($ext_if2) to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from ($ext_if1) to any

block drop in  quick on $ext_if1 from $priv_nets to any
block drop in  quick on $ext_if2 from $priv_nets to any
block drop out quick on $ext_if1 from any to $priv_nets
block drop out quick on $ext_if2 from any to $priv_nets

block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU


FTP 限制不了, 主要限制下载,
copico

论坛徽章:
0
2 [报告]
发表于 2005-12-23 16:10 |只看该作者
没人理俺
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
llzqq

论坛徽章:
0
3 [报告]
发表于 2005-12-23 17:24 |只看该作者
怎么了,晕
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
copico

论坛徽章:
0
4 [报告]
发表于 2005-12-25 18:40 |只看该作者
FTP 限制不了, 主要限制下载,
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
rainren

论坛徽章:
0
5 [报告]
发表于 2005-12-26 08:10 |只看该作者
你这个规则没写对, 怎么能限制!

我这个规则一般般, 用的还可以, 你参考参考:

cat pf.conf
ext_if="tun0"
int_if="rl1"

deny_ports="{135, 137, 138, 139, 445, 593, 4444, 6881><6889, 6969}"
deny_address="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

icmp_types="echoreq"
udp_services="{53}"
video_ports="{554, 1755, 8080}"
http_ports="{80, 443}"

set block-policy return
set optimization aggressive
set loginterface $ext_if

scrub in all

altq on $ext_if cbq bandwidth 512Kb queue { std_out, http_out, ssh_out, dns_out, video_out }
  queue std_out  bandwidth 25%  cbq(default)
  queue http_out bandwidth 40%  priority 3 cbq(red borrow)
  queue ssh_out  bandwidth 10%  priority 4
  queue dns_out  bandwidth 5%  priority 5
  queue video_out bandwidth 20%  priority 6 cbq(red borrow)

altq on $int_if cbq bandwidth 100% queue { std_in, http_in, ssh_in, dns_in }
  queue std_in   bandwidth 40%  cbq(default)
  queue http_in  bandwidth 40%  priority 3 cbq(borrow)
  queue ssh_in   bandwidth 10%  priority 4 cbq(borrow)
  queue dns_in   bandwidth 10%  priority 5

nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021

block all
block quick inet6 all

block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU

pass quick on lo0 all

antispoof quick for { $int_if $ext_if } inet

block in quick on $ext_if os NMAP
block in quick on $ext_if inet from $deny_address to ($ext_if)
block out quick on $ext_if inet from ($ext_if) to $deny_address

block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port $deny_ports flags S/SA

pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state

# filter rules for inbounds
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state
上一条规则用于ftp传输

# filter rules for out bounds
pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to any flags S/SA keep state queue std_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port ssh flags S/SA keep state queue ssh_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $video_ports flags S/SA keep state queue video_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $http_ports flags S/SA keep state queue http_out
pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to any port domain keep state queue dns_out

# filter rules for lan
# pass in on $int_if inet proto tcp from $int_if:network to any port $tcp_services keep state
pass in on $int_if inet proto tcp from $int_if:network to any keep state
pass in on $int_if inet proto udp from $int_if:network to any port $udp_services keep state

pass out on $int_if from any to $int_if:network keep state
pass out on $int_if inet proto tcp from any to $int_if:network port ssh keep state queue ssh_in
pass out on $int_if inet proto tcp from any to $int_if:network port http keep state queue http_in
pass out on $int_if inet proto {tcp, udp} from any to $int_if:network port domain keep state queue dns_in

[ 本帖最后由 rainren 于 2005-12-26 08:13 编辑 ]
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
copico

论坛徽章:
0
6 [报告]
发表于 2005-12-30 14:15 |只看该作者
限速不行!估计和 用了两个网卡连接外网有关系。
另外玩泡泡堂游戏 卡机!不知道什么问题!把规则全取消了,好像还是不行。是不是和负载均衡有关系。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP