- 论坛徽章:
- 0
|
原帖由 mcwin 于 2006-9-29 11:05 发表
pass out on $ext_if proto tcp to 123.45.67.89 port 21
我这里的情况用上面这句也是不行的,这是我的pf.conf,192.168.2.13现在可以访问外面的所有ftp服务器,现在就是想限制访问指定的ftp server,
ext_if="vr0"
int_if="xl0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
NETWORK_A="192.168.2.0/24"
priv_nets="{
127.0.0.0/8,
192.168.0.0/16,
172.16.0.0/12,
10.0.0.0/8
}"
# set optimization aggressive
set optimization conservative
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass on lo0 all
anchor "ftp-proxy/*"
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
## .: filter select :.
### pass in on $int_if from $int_if:network to any keep state #注释这句是限制lan用户出去#
pass out on $int_if from any to $int_if:network keep state
# pass in on $int_if inet proto tcp from $int_if:network to 127.0.0.1 port 3128 keep state
# pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $ext_if proto tcp from ($ext_if) to any modulate state flags S/SA
pass out on $ext_if inet proto {udp,icmp} from ($ext_if) to any keep state
## .: allow outbound part :.
pass in on $int_if inet proto udp from $int_if:network to { 202.96.128.68, 202.96.128.86 } port domain keep state
pass in on $int_if inet proto tcp from $int_if:network to 1.2.3.4 port 110 modulate state
pass in on $int_if inet proto tcp from $int_if:network to 5.6.7.8 port 25 modulate state
pass in on $int_if inet proto tcp from 192.168.2.13 to 127.0.0.1 port {21,>1024}
## end at here.
[ 本帖最后由 tidezcy 于 2006-9-29 13:44 编辑 ] |
|