晚上睡不着，用PF写了个策略路由教本，大家看看

jervis0211

感谢楼主,虽然不能全看懂

startopenbsd

这种情况下路由表中default怎么写？

llzqq

原帖由 startopenbsd 于 2006-2-19 19:40 发表
这种情况下路由表中default怎么写？

不写defaultrouter

llzqq

继续讨论

rainren

其实很多都要实际测试一下才能行， 最好手上有机器可以运行它们！

不用马甲

连NAT都没有，怎么上网。没有路由表怎么策略？

zhangweizj

楼竹是我在CU里很敬佩的人之一。。  

llzqq

下面这个是网上参考别人的思路来的，给IP包打了标记，IP包出去的时候根据原先打的标记判断IP包的出口是那个：



##anchors

ext_if1 = "rl0"    //接网通
ext_if2 = "rl1"    //接电信
ext_gw1 = "218.104.232.1"   //网通网关
ext_gw2 = "61.154.11.254"   //电信网关
loop = "lo0"
service = "{22, 80, 443}"

scrub in all
antispoof for {$ext_if1, $ext_if2} inet

##default deny

block all
block return

##general "pass in" rules for external and loop interfaces

pass quick on $loop all
pass in on $ext_if1 tag cncgroup keep state
pass in on $ext_if2 tag chinanet keep state

##general "pass out" rules for external interfaces

pass out on {$ext_if1, $ext_if2} proto tcp from any to any flags S/SA modulate state
pass out on {$ext_if1, $ext_if2} proto { udp, icmp } from any to any keep state

##route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
##$ext_if2 and $ext_gw2

pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged chinanet keep state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged cncgroup keep state


希望有条件的测试一下

剑心通明

目前条件不成熟，过段时间再弄个出口了试试，先收藏做个标记

caicheng1015

这个我以前试过，在OB4.0上好像有内核问题。