论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-02-17 09:42 |只看该作者 |倒序浏览

讨论一下，暂时没条件测试：

# vi /etc/rc.conf
================+==============+=================
ifconfig_rl0="inet 218.104.232.207 netmask 255.255.255.0" //网通
ifconfig_rl1="inet 61.154.11.150 netmask 255.255.255.0" //电信
pf_enable="YES"
================+==============+=================

# vi /etc/pf.conf
================+==============+=================
##anchors
ext_if1 = "rl0"
ext_if2 = "rl1"
ext_gw1 = "218.104.232.1"
ext_gw2 = "61.154.11.254"
loop = "lo0"
service = "{22, 80, 443}"

scrub in all

antispoof for {$ext_if1, $ext_if2} inet

##default deny
block all
block return

##general "pass in" rules for external and loop interfaces
pass quick on $loop all
pass in on {$ext_if1, $ext_if2} proto tcp from any to any port $service flags S/SA modulate state
pass in on {$ext_if1, $ext_if2} proto { udp, icmp } from any to any keep state

##general "pass out" rules for external interfaces
pass out on {$ext_if1, $ext_if2} proto tcp from any to any flags S/SA modulate state
pass out on {$ext_if1, $ext_if2} proto { udp, icmp } from any to any keep state

##route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
##$ext_if2 and $ext_gw2
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
================+==============+=================

这个教本参考了pf的faq写的。实现双线接入情况下，从网通专线来的IP包，回去的时候还走网通线路，同理，电信线路来的IP包回去的时候还走电信线路。大家帮我分析一下，这个教本实现的思路有没有问题。

下面这个是网上参考别人的思路来的，给IP包打了标记，IP包出去的时候根据原先打的标记判断IP包的出口是那个：

给IP包打标记的策略路由方法：

##anchors

ext_if1 = "rl0" //接网通
ext_if2 = "rl1" //接电信
ext_gw1 = "218.104.232.1" //网通网关
ext_gw2 = "61.154.11.254" //电信网关
loop = "lo0"
service = "{22, 80, 443}"

scrub in all
antispoof for {$ext_if1, $ext_if2} inet

##default deny

block all
block return

##general "pass in" rules for external and loop interfaces

pass quick on $loop all
pass in on $ext_if1 tag cncgroup keep state
pass in on $ext_if2 tag chinanet keep state

##general "pass out" rules for external interfaces

pass out on {$ext_if1, $ext_if2} proto tcp from any to any flags S/SA modulate state
pass out on {$ext_if1, $ext_if2} proto { udp, icmp } from any to any keep state

##route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
##$ext_if2 and $ext_gw2

pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged chinanet keep state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged cncgroup keep state

[ 本帖最后由 llzqq 于 2006-11-30 17:20 编辑 ]

文库|博客

llzqq

广告杀手

论坛徽章:: 0

2楼 [报告]

发表于 2006-02-17 12:20 |只看该作者

没人理

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

bigheadfish80

小富即安

论坛徽章:: 0

3楼 [报告]

发表于 2006-02-17 12:31 |只看该作者

太高了吧，估计没人敢来提点什么！！！

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

2004xxx 该用户已被删除	4楼 [报告] 发表于 2006-02-17 12:52 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
2004xxx 该用户已被删除	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

剑心通明

版主

论坛徽章:: 2

5楼 [报告]

发表于 2006-02-17 13:03 |只看该作者

印象中曾经试过，好像不管用，可能是没弄好吧，后来因为急着用，就在dns上打主意了

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

llzqq

广告杀手

论坛徽章:: 0

6楼 [报告]

发表于 2006-02-17 13:05 |只看该作者

原帖由 2004xxx 于 2006-2-17 12:52 发表
状态和接口无关吗?

如果有关,在只是提供服务的情况下,
还需要这个吗?

[code]pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw ...

这个是核心，实现由那条线来，还到那条线去。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

llzqq

广告杀手

论坛徽章:: 0

7楼 [报告]

发表于 2006-02-17 13:10 |只看该作者

谁有条件试验一下，用几台路由器也可以做这个试验，可惜偶没有。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

2004xxx 该用户已被删除	8楼 [报告] 发表于 2006-02-17 13:45 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
2004xxx 该用户已被删除	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

llzqq

广告杀手

论坛徽章:: 0

9楼 [报告]

发表于 2006-02-17 15:43 |只看该作者

这个是pf文档中的一个范例－－－双线接入做网关负载均衡：

##anchors
lan_net = "192.168.0.0/24"
int_if = "fxp0"
ext_if1 = "rl0"
ext_if2 = "rl1"
ext_gw1 = "221.33.88.254"
ext_gw2 = "61.0.57.254"

##nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)

##default deny
block in from any to any
block out from any to any

##pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net
##pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
##load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
##load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state

##general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

##route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
##$ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

我是在这个基础上稍加修改二来的。应该不会有楼上提到的问题。