【请教】pf防火墙的问题

jsn

FBSD6.1，防火墙规则设置如下：

=================================================
set skip on lo0

ext_if = em0

block in log all

pass out quick all keep state

pass in on $ext_if inet proto tcp from any to $ext_if port 80 flags S/SA synproxy state
=================================================

这样的设置不知道哪里出了问题，时不时会有80端口连接超时的情况。在log里也看到block了大量的连接请求：



145169 rule 0/0(match): block in on em0: 211.161.255.186.61209 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
357284 rule 0/0(match): block in on em0: 59.42.174.143.16753 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
037603 rule 0/0(match): block in on em0: 121.32.72.9.50518 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
041345 rule 0/0(match): block in on em0: 58.49.180.8.3328 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
099564 rule 0/0(match): block in on em0: 58.49.180.8.3329 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
118307 rule 0/0(match): block in on em0: 59.42.174.143.16981 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
264719 rule 0/0(match): block in on em0: 222.210.30.121.3945 > x.x.x.x.80: . 1906564597:1906564598(1) ack 1109131971 win 65535
512808 rule 0/0(match): block in on em0: 121.32.72.9.50524 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
006989 rule 0/0(match): block in on em0: 58.49.180.8.3330 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
082589 rule 0/0(match): block in on em0: 222.210.30.121.3980 > x.x.x.x.80: . 731927308:731927309(1) ack 1749017441 win 65535
847097 rule 0/0(match): block in on em0: 59.42.174.143.16891 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
657977 rule 0/0(match): block in on em0: 222.210.30.121.4018 > x.x.x.x.80: . 2302766402:2302766403(1) ack 1662791506 win 65535
1. 285466 rule 0/0(match): block in on em0: 121.32.72.9.50784 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
061083 rule 0/0(match): block in on em0: 211.161.255.186.62821 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
000007 rule 0/0(match): block in on em0: 211.161.255.186.60321 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
101053 rule 0/0(match): block in on em0: 211.161.255.186.60399 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
112182 rule 0/0(match): block in on em0: 59.172.151.42.1536 > x.x.x.x.80: R 2037009465:2037009465(0) ack 2232802651 win 0
378898 rule 0/0(match): block in on em0: 59.42.174.143.16896 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
903970 rule 0/0(match): block in on em0: 59.42.174.143.16902 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
593238 rule 0/0(match): block in on em0: 211.161.255.186.60185 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
358406 rule 0/0(match): block in on em0: 222.210.30.121.3980 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
609999 rule 0/0(match): block in on em0: 203.209.240.152.38241 > x.x.x.x.80: F 0:0(0) ack 1 win 65535
153320 rule 0/0(match): block in on em0: 211.161.255.186.61429 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
459558 rule 0/0(match): block in on em0: 222.210.30.121.4018 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
461474 rule 0/0(match): block in on em0: 59.42.174.143.16778 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
026848 rule 0/0(match): block in on em0: 121.32.72.9.50850 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
173519 rule 0/0(match): block in on em0: 59.42.174.143.16780 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
611887 rule 0/0(match): block in on em0: 211.90.231.100.24289 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
252596 rule 0/0(match): block in on em0: 59.42.174.143.17016 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
042470 rule 0/0(match): block in on em0: 222.210.30.121.4091 > x.x.x.x.80: . 2692049738:2692049739(1) ack 1568791114 win 65535
242224 rule 0/0(match): block in on em0: 211.161.255.186.62295 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
311184 rule 0/0(match): block in on em0: 211.161.255.186.63941 > x.x.x.x.80: . 3104250598:3104250599(1) ack 327927289 win 65535
1. 003013 rule 0/0(match): block in on em0: 211.161.255.186.63267 > x.x.x.x.80: . 1560661591:1560661592(1) ack 2824915327 win 65535
058711 rule 0/0(match): block in on em0: 222.210.30.121.4097 > x.x.x.x.80: . 441297299:441297300(1) ack 457816499 win 65535
934802 rule 0/0(match): block in on em0: 211.161.255.186.62501 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
000871 rule 0/0(match): block in on em0: 211.161.255.186.59799 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
742805 rule 0/0(match): block in on em0: 121.32.72.9.50587 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
493073 rule 0/0(match): block in on em0: 59.42.174.143.16956 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
495696 rule 0/0(match): block in on em0: 121.32.72.9.50597 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
374649 rule 0/0(match): block in on em0: 211.161.255.186.59649 > x.x.x.x.80: . 756958890:756958891(1) ack 2745497364 win 65535
033846 rule 0/0(match): block in on em0: 59.42.174.143.17083 > x.x.x.x.80: . 1587149022:1587149023(1) ack 706300778 win 65535
081709 rule 0/0(match): block in on em0: 121.32.72.9.50593 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
285073 rule 0/0(match): block in on em0: 211.161.255.186.60171 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
000117 rule 0/0(match): block in on em0: 211.161.255.186.63973 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
000499 rule 0/0(match): block in on em0: 211.161.255.186.59711 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
159532 rule 0/0(match): block in on em0: 222.210.30.121.4091 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
943549 rule 0/0(match): block in on em0: 211.161.255.186.61649 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
501568 rule 0/0(match): block in on em0: 211.161.255.186.61827 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
562410 rule 0/0(match): block in on em0: 222.210.30.121.4097 > x.x.x.x.80: . 0:1(1) ack 1 win 65535
1. 866233 rule 0/0(match): block in on em0: 218.90.1.162.4434 > x.x.x.x.80: . 1776232707:1776232708(1) ack 4168633515 win 8192
007867 rule 0/0(match): block in on em0: 218.90.1.162.4433 > x.x.x.x.80: . 1776169933:1776169934(1) ack 1455712540 win 8192


其中x.x.x.x是本机IP

剑心通明

原帖由 jsn 于 2006-12-26 15:11 发表
FBSD6.1，防火墙规则设置如下：

=================================================
set skip on lo0

ext_if = em0

block in log all

pass out quick all keep state

pass in on $ext_if inet p ...

synproxy state换成keep state怎样？

jsn

原帖由 剑心通明 于 2006-12-26 15:27 发表
synproxy state换成keep state怎样？

一样的效果。

大大狗

pass out quick all keep state

改为  pass quick on lo0 all  行不

jsn

原帖由 大大狗 于 2006-12-26 16:14 发表

改为  pass quick on lo0 all  行不

不能只on lo0，所有的都要pass

Momoass

只允许了syn 状态的连接， 其他的没有获准通过。

[ 本帖最后由 Momoass 于 2006-12-26 18:40 编辑 ]

jsn

原帖由 Momoass 于 2006-12-26 18:38 发表
只允许了syn 状态的连接， 其他的没有获准通过。

synproxy state或keep state就是获准通过了。大部分访问请求还是正常的。

[ 本帖最后由 jsn 于 2006-12-26 23:51 编辑 ]

新杂人

我是菜鸟, 送关于pf的synproxy state给楼主 http://www.freebsdchina.org/forum/topic_32569.html

[ 本帖最后由 新杂人 于 2006-12-28 01:23 编辑 ]

llzqq

改成这样试试：


ext_if = em0
web="{127.0.0.1}"

set skip on lo0

rdr on $ext_if proto tcp from any to $ext_if port 80 -> $web port 80

block in log all

pass in on $ext_if inet proto tcp from any to $ext_if port 80 flags S/SA synproxy state

pass out quick all keep state