On Mon, Jul 11, 2005 at 10:49:09PM +0800, jking1 wrote:
> ############################
> #/etc/pf.conf #
> ############################
> ext_if=\"fxp0\"
> int_if=\"rl0\"
> web_server=\"192.168.0.1\"
> pcanywhere_port=\"5631\"
> sql=\"1433\"
>
> #table <spamd> persist
> #table <spamd-white> persist
>
> scrub in
>
> rdr pass on $ext_if proto tcp from any to port www -> $web_server port www
> rdr pass on $ext_if proto tcp from any to port $pcanywhere_port -> \\
> $web_server port $pcanywhere_port
> rdr pass on $ext_if proto tcp from any to port $sql -> $web_server port $sql
> rdr pass on $ext_if proto tcp from any to port 21 -> $web_server port 21
> rdr pass on $ext_if proto udp from any to port 53 -> $web_server port 53
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
>
> block return
>
> pass quick on { lo $int_if }
> antispoof quick for { lo $int_if }
>
> pass in log on $ext_if inet proto tcp to $ext_if port ssh flags S/SA keep
> state
> pass in log on $ext_if inet proto tcp to $web_server port 21 flags S/SA
> synproxy state
> pass in log on $ext_if inet proto tcp to $web_server port $sql flags S/SA
> synproxy state
> pass in log on $ext_if inet proto tcp to $web_server port 1434 flags S/SA
> synproxy state
> pass in on $ext_if inet proto tcp to $web_server port { www,
> $pcanywhere_port} \\
> flags S/SA synproxy state
> pass in on $ext_if inet proto { tcp, udp } to $web_server port 53 flags S/SA
> \\
> keep state
> pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
>
> ############################
> #/etc/hostname.fxp0 #
> ############################
> inet XXX.XXX.XX.245 255.255.255.192 NONE
>
> ############################
> #/etc/hostname.rl0 #
> ############################
> inet 192.168.0.254 255.255.255.0 NONE
>
> ############################
> #/etc/mygate #
> ############################
> XXX.XX.X.193
>
>
>
> ############################
> #show nat #
> ############################
> haocb# pfctl -v -sn
> nat on fxp0 from ! (fxp0) to any -> (fxp0:0)
> [ Evaluations: 1232 Packets: 0 Bytes: 0 States: 0
> ]
> rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1
> port 80
> [ Evaluations: 1575 Packets: 1897 Bytes: 1425567 States: 29
> ]
> rdr pass on fxp0 inet proto tcp from any to any port = 5631 -> 192.168.0.1
> port 5631
> [ Evaluations: 80 Packets: 0 Bytes: 0 States: 0
> ]
> rdr pass on fxp0 inet proto tcp from any to any port = 1433 -> 192.168.0.1
> port 1433
> [ Evaluations: 80 Packets: 742 Bytes: 56328 States: 47
> ]
> rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1
> port 21
> [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0
> ]
> rdr pass on fxp0 inet proto udp from any to any port = domain -> 192.168.0.1
> port 53
> [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0
> ]
>
>
>
> ############################
> #show rules #
> ############################
> haocb# pfctl -v -sn
> scrub in all fragment reassemble
> [ Evaluations: 12151 Packets: 6124 Bytes: 0 States: 0
> ]
> block return all
> [ Evaluations: 2933 Packets: 14 Bytes: 688 States: 0
> ]
> pass quick on lo all
> [ Evaluations: 2933 Packets: 0 Bytes: 0 States: 0
> ]
> pass quick on rl0 all
> [ Evaluations: 2933 Packets: 2919 Bytes: 1503906 States: 0
> ]
> block drop in quick on ! lo inet from 127.0.0.0/8 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick on ! lo inet6 from ::1 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick inet from 127.0.0.1 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick inet6 from ::1 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick on lo0 inet6 from fe80::1 to any
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick on ! rl0 inet from 192.168.0.0/24 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick inet from 192.168.0.254 to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> block drop in quick on rl0 inet6 from fe80::211:d8ff:fe79:d52b to any
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags
> S/SA keep state
> [ Evaluations: 43 Packets: 93 Bytes: 14185 States: 1
> ]
> pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags
> S/SA synproxy state
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = 1433 flags
> S/SA synproxy state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA
> synproxy state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = 5631 flags S/SA
> synproxy state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = domain flags
> S/SA keep state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass in on fxp0 inet proto udp from any to 192.168.0.1 port = domain keep
> state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass out on fxp0 proto tcp all modulate state
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> pass out on fxp0 proto udp all keep state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> pass out on fxp0 proto icmp all keep state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
>
>
> web server works fine(www,ftp and pcanywhere control),but i can\'t find
> any transport from
> pf state!!!!!!
> pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA
> synproxy state
> [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
> ]
> ~~~~~~\\
> why???
> pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags
> S/SA synproxy state
> [ Evaluations: 14 Packets: 0 Bytes: 0 States: 0
> ]
> ~~~~~~\\
> why???
> pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags
> S/SA keep state
> [ Evaluations: 43 Packets: 93 Bytes: 14185 States: 1
> ]
> ~~~~~~\\
> it\'s ok
>
> and nat state is right!
> rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1
> port 80
> [ Evaluations: 1575 Packets: 1897 Bytes: 1425567 States: 29
> ]
> rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1
> port 21
> [ Evaluations: 33 Packets: 12 Bytes: 592 States: 1
> ]
>
> anyone can tell me this?i will thank you very much!
>
>
>
> yours jking
>
> ----
>
> iGENUS is a free webmail interface, NO fee, download
> ---------------------------------------------------------
> please visit http://www.qmail.org
>
>
> !DSPAM:42d29447120722028919846!
>
sysctl net.inet.ip.forwarding=1
pfctl -e?
- David
