pf如何控制部分IP只能访问25.110端口？

jhpjp

1. 
   
2. Ext="tun0"
   
3. Int="vr0"
   
4. IntNet="192.168.1.0/24"
   
5. RouterIP="192.168.1.254"
   
6. NoRoute="{127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,255.255.255.255/32}"
   
7. InServicesTCP="{21,80}"
   
8. InServicesUDP="{53,67}"
   
9. mailTCP="{25,110}"
   
10. 
    
11. my_net="{ 192.168.1.1,192.168.1.2 }"
    
12. boss_net="{ 192.168.1.9,192.168.1.11,192.168.1.8,192.168.1.18,192.168.1.7,192.168.1.100 }"
    
13. mail_net="{ 192.168.1.104,192.168.1.112 }"
    
14. 
    
15. set block-policy return
    
16. #统计数据外网接口数据（pfctl -s info）
    
17. set loginterface $Ext
    
18. #快速断开非活动状态的连接减少内存消耗
    
19. set optimization aggressive
    
20. ######## 流量整形 ##########
    
21. scrub in all
    
22. ######## NAT ##########
    
23. nat on $Ext from $IntNet to any -> ($Ext)
    
24. rdr pass on $Int proto tcp from $Int to any port 21 ->  127.0.0.1 port 8021
    
25. pass quick on {lo $Int} keep state
    
26. ######## Kill all ########
    
27. block all
    
28. 
    
29. ########PORT FTP RULE ########
    
30. pass in quick on $Ext proto tcp from any to $Ext port 21 flags S/SA keep state
    
31. pass in quick on $Ext inet proto tcp from any to any port > 49151 user proxy flags S/SAFR keep state
    
32. ######## RULE ########
    
33. pass out quick on $Ext from $boss_net to any keep state
    
34. pass out quick on $Ext from $my_net to any keep state
    
35. pass out quick on $Ext inet proto tcp from $mail_net to any port {21 25 110} keep state
    

复制代码

看完rule，想让$mail_net只能访问25.110，但上面的规则就是不行。$mail_net下的IP照样能访问别的端口。如80.443……

[ 本帖最后由 jhpjp 于 2007-7-20 11:04 编辑 ]

tidezcy

## pass quick on {lo $Int} keep state  ##

有了这条,向外访问完全开放了.

jhpjp

原帖由 tidezcy 于 2007-7-20 11:29 发表
## pass quick on {lo $Int} keep state  ##

有了这条,向外访问完全开放了.

您好，那我是不是把$Int去掉呢？

但是我在## pass quick on {lo $Int} keep state  ##有 block all


最新消息，pass quick on {lo $Int} keep state去掉了$Int变成pass quick on {lo} keep state后还是一样能访问80…………

[ 本帖最后由 jhpjp 于 2007-7-20 11:48 编辑 ]

feillex

pass quick on {lo} keep state
其中 lo 应该是 lo0 吧

jhpjp

原帖由 feillex 于 2007-7-20 12:12 发表
pass quick on {lo} keep state
其中 lo 应该是 lo0 吧

我以改成lo0，但还有不行。继续等待…………

feillex

你改完后有没有清空当前状态表？
有可能原来的匹配记录还在状态表中，直接就过去了。
清空一下状态表，再重新加载一次规则试试看
清空状态表
pfctl -F state

加载配置文件
pfctl -f /etc/pf.conf

langue

先禁用所有，然后允许这部分的补集，注意前后搭配即可，不要出现一棍子打死和全盘开放

robinwu2008

set skip on lo

block all

pass in quick on $int from $mail_net to any port {25,110} keep state
pass in quick on $int from $boss_net to any keep state
pass in quick on $int from $my_net to any keep state

或
block drop in quick on $int  from $mail_net to any port !{25,110}
pass in quick on $int from any to any keep state

I think is it~~~

jhpjp

谢谢，我试试