- 论坛徽章:
- 0
|
我的网络环境
电信网通双100M光纤.电信IP219.147.X.X网通IP218.28.X.X
本人做了自动切换的nat说到这里是没有问题的.(文章最后是我的PF.conf 问题部分做了红色显示...)
主要就是pass in quick on { $ext_if_cnc, $ext_if_ct } proto tcp from any to { $cnc_ip, $ct_ip } port = 80 flags S/SA keep state \
(source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 15,overload <abusive_hosts> flush, src.track 1)
这里的flags S/SA keep state换成 flags S/SA synproxy state的时候问题就出来了.就是说来自外部网络界面的用户如果使用电信访问我的WEB服务器的网通(也就是说我的IP218.28.X.X),或是网通访问电信(IP219.147.X.X)的时候就不能了.如果我说的还不够明白.这样:
你家用的网通线路上互联网.你可以使用我的IP218.28.X.X正常访问我的web服务器,但根本不能用你家的网通访问我的电信IP219.147.X.X;
电信同上
只要我把 flags S/SA synproxy state改成flags S/SA keep state
一切就解决了.现在我还是不知道错在哪里了.....
郁闷 .................郁闷到死!
以下是我的PF.conf
ext_if_cnc="fxp0"
cnc_ip="218.28.X.X/32"
ext_if_ct="rl0"
ct_ip="219.147.X.X/32"
int_if="xl0"
int_net="192.168.0.0/24"
#options
set timeout interval 10
set timeout frag 30
set limit { frags 80000, states 80000 }
set optimization normal
set block-policy return
set loginterface $int_if
set fingerprints /etc/pf.os
set state-policy if-bound
#scrub
scrub on { $int_if, $ext_if_cnc, $ext_if_ct } reassemble tcp no-df random-id
scrub in all
#NAT(net,rdr)
nat on $ext_if_cnc from $int_if:network to any -> ($ext_if_cnc)
nat on $ext_if_ct from $int_if:network to any -> ($ext_if_ct)
rdr on $int_if proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021
pass quick on lo0 all
block drop in quick on $int_if from any to 10.0.0.0/8
block drop in quick on $int_if from any to 172.0.0.0/16
block drop in quick on $int_if from any to 192.168.0.0/16
pass in quick on $int_if proto {udp,icmp} from any to any keep state
pass in quick on $int_if proto tcp from any to any flags S/SA keep state
pass in quick on $int_if proto 4 from any to any keep state
pass in quick on $int_if all keep state
pass out quick on { $int_if , $ext_if_cnc , $ext_if_ct } all keep state
pass in quick on { $ext_if_cnc, $ext_if_ct } proto tcp from any to { $cnc_ip, $ct_ip } port = 22 flags S/SA keep state
table <abusive_hosts> persist
block in quick from <abusive_hosts>
pass in quick on { $ext_if_cnc, $ext_if_ct } proto tcp from any to { $cnc_ip, $ct_ip } port = 80 flags S/SA keep state \
(source-track rule,max-src-conn 100, max-src-conn-rate 15/3,max-src-states 15,overload <abusive_hosts> flush, src.track 1)block drop in quick on { $ext_if_cnc, $ext_if_ct } all
[ 本帖最后由 123456sx 于 2007-8-8 23:42 编辑 ] |
|
免费注册
发表于 2007-08-08 23:39
