论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-11-21 20:36 |只看该作者 |倒序浏览

#macros
ext_if="fxp0"
int_if1="fxp1"
int_if2="fxp2"
int_if = "{" $int_if1 $int_if2 "}"
tcp_services="{21,22,8021,49151><65535}"
icmp_types = "echoreq"
priv_nets="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }"
int_net="{ 10.10.26.0/23, 10.0.28.0/23 }"
int_net1="{ 10.0.28.0/23 }"
int_net2="{ 10.10.26.0/23 }"
deny_port="{135,137,138,139,445,593,4444,6881><6889,6969}"

#options
set block-policy drop
set loginterface $ext_if
set optimization aggressive

#scrub
scrub in all

##################################################
##nat rules
##################################################

nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#####################
##filter rules
#####################

block all
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
pass quick on lo0 all

###############
#int_if
###############
pass in quick on $int_if1 from 10.10.26.0/23 to any
pass out quick on $int_if1 from any to 10.10.26.0/23
pass in quick on $int_if2 from 10.0.28.0/23 to any
pass out quick on $int_if2 from any to 10.0.28.0/23
pass in quick on $int_if proto tcp from any to any port 22 flags S/SA keep state
pass in quick on $int_if inet proto icmp all icmp-type $icmp_types keep state
block in quick on $int_if proto tcp from $int_net to any port $deny_port flags S/SA
pass in log quick on $int_if proto tcp from $int_net to any port 80 flags S/SA keep state queue std_in
pass out on $int_if from any to $int_net
pass in on $int_if inet proto {tcp,udp} from $int_net to any keep state \
(source-track rule, max-src-nodes 60,max-src-states 10)

###############
#ext_if
###############
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA queue std_out
pass out on $ext_if proto {udp,icmp} all keep state queue std_out

[ 本帖最后由 qljid 于 2006-11-22 13:24 编辑 ]

文库|博客

geel

小富即安

论坛徽章:: 0

2楼 [报告]

发表于 2006-11-21 20:37 |只看该作者

两个网段，你可能需要的是个路由

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

qljid

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2006-11-21 20:55 |只看该作者

好象不是路由的问题,以前没有问题加pf后不能访问了不能PING 通

[ 本帖最后由 qljid 于 2006-11-21 21:08 编辑 ]

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

congli

版主

论坛徽章:: 1

4楼 [报告]

发表于 2006-11-21 23:14 |只看该作者

pass in quick on $int_if1 from 10.10.26.0/23 to any
pass out quick on $int_if1 from any to 10.10.26.0/23
pass in quick on $int_if2 from 10.0.28.0/23 to any
pass out quick on $int_if2 from any to 10.0.28.0/23