[FreeBSD] FW: pf prob.

Mon, 27 Nov 2006 05:56:49 -0800 

Merhaba

     

          Merhaba asagidaki gibi bir yapiya sahibim ipfw kullaniyorum ama
pf'e gecmek istiyorum. Localde bulunan serverlarim LL uzerinden farkli
iplerle natlanarak internete cikiyor. Asagidaki kurallar ile pf'i aktif
ettigimde tum makinalar sorunsuz internete cikiyor. Fakat server gurubundaki
makinalar dogru olarak route edilmesine ragmen natlanarak route edildiginden
sorunlar cikiyor. "no nat" satirinda yada kurallarda bir yanlislik yapiyor
olabilirmiyim. Boyle bir system icin sizinde tavsiyelerinizi almak isterim.
Yardimlariniz icin simdiden tesekkurler,

 

 

Iyi calismalar

Muammer

 

 

 

10.11.1.3 Adsl ----------|

                                |          10.11.1.5

                                |----------------| FreeBSD
|------------------ LAN 192.168.0.0/24

                                |                            192.168.0.5

10.11.1.4 LL -------------|

 

 

 

 

 

###################################################

 

ext_if="bge0"

int_if="vr0"

ext_ip="10.11.1.5"

int_ip="192.168.0.5"

lan_net="192.168.0.0/24"

 

LL="10.11.1.4"

UsR="10.11.1.3"

 

SERVERS="{192.168.0.11, 192.168.0.30, 192.168.0.31, 192.168.0.33,
192.168.0.114/28, 192.168.0.137, 192.168.0.140, 192.168.0.141}"

 

 

set limit { frags 30000, states 25000 }

set loginterface $ext_if

scrub in all

 

nat on $ext_if from $lan_net to any -> ($ext_if)      

no nat on $ext_if from $SERVERS to any

##################################


pass in on $int_if from $lan_net to any

pass out on $int_if from any to $lan_net

 

pass in quick on $int_if from $lan_net to $int_if

 

pass in on $int_if route-to ($ext_if $LL) proto tcp from $SERVERS to any
flags S/SA modulate state

pass in on $int_if route-to ($ext_if $LL) proto { udp, icmp} from $SERVERS
to any keep state

 

############################

pass in on $ext_if all

pass out on $ext_if all

#block in on $ext_if all

 

pass out on $ext_if proto tcp from any to any flags S/SA modulate state 

pass out on $ext_if proto { udp, icmp } from any to any keep state 

 

pass in on $ext_if proto tcp from any to $ext_ip port {22, 80, 1723} flags
S/SA modulate state  #ssh, www, vpn

pass in on $ext_if proto icmp from any to $ext_ip keep state

pass in on $ext_if proto tcp from any to 192.168.0.141 port {25, 110, 80}
flags S/SA modulate state

Cevap