Openbsd pf ile 2 internet hattini load balans yapmaya calisiyorum. 2 ayri
modem var, 3 nicli bir makinede pf calisiyor.
Firewallda dhcp ve dns hizmetleri veriliyor.
Her modem agi icin ayri ayri nat yapiyorum (boyle yapmali miyim?). Nat
yapmadan bu firewall calisir mi?
Asagidaki pf.conf dosyasinda hangi hatalar var soyleyebilir misiniz?
Firewalldan giden paketler icin nasil kurallar yazabilirim? Ornek verebilir
misiniz?
Ayrica 5651 icin sanirim dhcp loglarini saklamam lazim. Bunu Openbsd de
nasil yaparim?
modem 1
firewall |-----------------
Ic ag----------------|
|-----------------
modem2
intif=rl1
extif1=rl0
extif2=re0
# Modem 1
gw1="192.168.0.1"
#Modem2
gw2="192.168.2.1"
# ic aglarda erisilebilen tcp portlari (Modemlerin aglarinda ssh sunuculari
var)
tcpservices="{ ssh,http,https,2020,2021}"
# Dis aglar icin udp portlari
udpservices="{ domain,ntp }"
lannet=$intif:network
ext1net=$extif1:network
ext2net=$extif2:network
# Ic aglardaki ssh makineleri. Aslinda 2 farkli makine(biri firewall) ve 5
farkli ip var
sshhosts="{ 192.168.0.9, 192.168.2.200, 192.168.2.249, 192.168.0.249,
192.168.5.249 }"
# Ftp proxy calisiyor
anchor "ftp-proxy/*"
pass in log quick on $intif inet proto tcp to port 21 divert-to 127.0.0.1
port 8021
# Icmp istekleri icin ama ic agdan disariya pinglenemiyor? Bosuna yazilmis
bir kural.
pass quick inet proto icmp all
# Dns ve ntp icin boyle bir kural yazdim. Aksi halde firewalldaki dns
sunucum ic aga cevap vermiyor.
pass in log quick on $intif inet proto {tcp,udp} from $lannet to port
$udpservices
# Ic aglardaki ssh,web gecisleri
pass quick on $intif inet proto tcp from $lannet to $sshhosts port
$tcpservices
# Bir modemden gelen sysloglari
pass in quick on $extif2 proto udp to any port 514
# Modem aglarindan firewalldaki servislere erisim icin boyle kurallar yazdim
pass in quick on {$extif1,$extif2} inet proto tcp to port $tcpservices
pass in quick on {$extif1,$extif2} inet proto {tcp,udp} to port
$udpservices
# Burada bir CBQ var. calomel.orgdan alinti. Dogru calisip calismadigi
nasil test edilir?
altq on $extif1 bandwidth 4.60Mb hfsc queue { ack, dns, ssh, bulk, bittor }
queue ack bandwidth 30% qlimit 500 hfsc (realtime 20%)
queue dns bandwidth 5% qlimit 500 hfsc (realtime 5%)
queue ssh bandwidth 20% qlimit 500 hfsc (realtime 20%)
{ssh_login, ssh_bulk}
queue ssh_login bandwidth 50% qlimit 500 hfsc
queue ssh_bulk bandwidth 50% qlimit 500 hfsc
queue bulk bandwidth 20% qlimit 500 hfsc (realtime 20% default,
ecn)
queue bittor bandwidth 1% qlimit 500 hfsc (upperlimit 15%)
<2. ag icin de benzer CBQ burada >
# Her ag icin match yapiyorum
match out on $extif1 from $lannet nat-to $extif1
match out on $extif2 from $lannet nat-to $extif2
block all
# Burada nat yapiliyor. Nat kurallari (yeri) dogru mu?
pass in log on $intif inet proto tcp from $lannet route-to { ($extif1
$gw1), ($extif2 $gw2) } round-robin modulate state
pass in log on $intif inet proto udp from $lannet route-to { ($extif1
$gw1), ($extif2 $gw2) } round-robin modulate state
pass in on $intif inet proto icmp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
# Burada trafik sekillendirme $extif1 uzerinde
pass out on $extif1 inet proto tcp from $extif1 to any flags S/SA modulate
state queue (bulk,ack)
pass out on $extif1 inet proto tcp from $extif1 to any port {ssh,2020,2021}
flags S/SA modulate state queue (ssh_bulk,ssh_login )
pass out on $extif1 inet proto {tcp,udp} from $extif1 to any port
$udpservices modulate state queue (dns)
# Burada bittorent icin trafik sekillendirme yazmaya calistim Ama dogru
yazamadim
#pass out on $extif1 inet proto tcp from $extif1 to any port 6881:6999
flags S/SA modulate state queue (bittor)
# Cikis kurallari
pass out on $extif2
< 2.ag icin CBQ kurallarini yazmadim>
pass out on $extif1 from $extif2 route-to ($extif2 $gw2)
pass out on $extif2 from $extif1 route-to ($extif1 $gw1)
_______________________________________________
Bsd mailing list
[email protected]
https://liste.linux.org.tr/mailman/listinfo/bsd
