Arkadaslar tekrar mrb,
pf de anlamadigim bir kac olay var yardimci olursaniz sevinirim.
lan_net = "{ 192.168.1.0/24 }"
int_if = "bge0"
ext_if = "vr0"
ext_if2 = "vr1"
ext_gw1 = "192.168.2.1"
ext_gw2 = "192.168.3.1"
fwips = "{127.0.0.1, 192.168.2.2, 192.168.3.2}"
lan_port = "{80,53,444,443,8080}"
mail_port = "{25,110}"
pass in on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from
$lan_net to $int_if:0 port $mail_port flags S/SA modulate state
bu kuralla lan_net ten gelen portu mail_portu ise $ext_if2 $ext_gw2
gönder demek de?ilmi loglara bakt???mda ic agdan bir kullanici mail
atmaya calistiginda $ext_if $ext_gw1 kullaniyor
pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2)
} round-robin proto tcp from $lan_net to $int_if:0 port $lan_port
flags S/SA modulate state
pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2)
} round-robin proto { udp, icmp } from $lan_net to any keep state
bu satirlada lan_net ten gelen portu lan_port sa ext_if $ext_gw1 ,
$ext_if2 $ext_gw2 dagit demek degilmi
fw ve mail sunucum ayni makine simdi ic ag kullanicilarim mail atarken
veya alirken trafigin gw2 den gitmesini bunlar?n disindaki cikislarida
gw1 ve gw2 ye dagitmasini istiyorum (80,443....vs)
yukaridaki kurallarla bunu yapmaya calisiyorum ama bir turlu
basaramadim burdaki yanlislarim nelerdir acaba mail sunucum kendisi
mail atarken gw2 yi kullaniyor ama ic ag kullaniclari disari mail
atarken gw1 den cikmaya calisiyor mail_portlari disindaki trafigi
dagit diyorum ama trafik gw1 den gidiyor
kullanmis oldugum pf.conf dosyam ektedir.
Saygilarimla......
###################################################
# Macros
###################################################
lan_net = "{ 192.168.1.0/24 }"
int_if = "bge0"
ext_if = "vr0"
ext_if2 = "vr1"
ext_gw1 = "192.168.2.1"
ext_gw2 = "192.168.3.1"
fwips = "{127.0.0.1, 192.168.2.2, 192.168.3.2}"
lan_port = "{80,53,444,443,8080}"
mail_port = "{25,110}"
##################################################
#Tanimlar
##################################################
table <msn> persist file "/usr/local/etc/fw/msn"
table <ftp> persist file "/usr/local/etc/fw/ftp"
table <bim> persist file "/usr/local/etc/fw/bim"
table <yasakip> persist file "/usr/local/etc/fw/yasakip"
table <disbirim> persist file "/usr/local/etc/fw/disbirim"
###################################################
# Set Optimizations
###################################################
set limit { frags 30000, states 25000 }
scrub in all
##################################################
#Nat Kurallari
##################################################
nat on $ext_if from $lan_net to any -> ($ext_if)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if proto tcp from self to any port $mail_port tag IF2 -> ($ext_if2)
rdr on $int_if proto tcp from any to any port 80 -> 192.168.1.150 port 8080
rdr pass on $ext_if2 inet proto tcp from any to any port = pptp -> 192.168.3.2
port 1723
rdr pass on $ext_if2 inet proto gre all -> 192.168.3.2
##################################################
#Firewall Kurallari
##################################################
block in log-all all
block out log-all all
pass in quick on lo0 all
pass out quick on lo0 all
pass in on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from $lan_net to
$int_if:0 port $mail_port flags S/SA modulate sta
te
pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to $int_if:0 port
$lan_port flags S/SA modulate state
pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any
keep state
##################################################
#Lan'dan Firewalla Gelisler
##################################################
pass in quick on $int_if proto tcp from <bim> to any flags S/SA modulate state
pass in quick on $int_if proto { udp, icmp } from <bim> to any keep state
block in quick log on $int_if proto tcp from any to <yasakip>
pass in quick on $int_if proto tcp from $lan_net to any port $lan_port flags
S/SA modulate state
pass in quick log on $int_if proto tcp from $lan_net to $int_if:0 port
$mail_port flags S/SA modulate state
pass in quick on $int_if proto { udp, icmp } from $lan_net to any keep state
pass in quick on $int_if proto tcp from <msn> to any port = 1863 flags S/SA
modulate state
pass in quick on $int_if proto tcp from <ftp> to any port = 21 flags S/SA
modulate state
##################################################
#Firewall <C7><FD>k<FD><FE>lar
##################################################
pass out on $ext_if proto tcp from $fwips to any flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } from $fwips to any keep state
pass out on $ext_if2 proto tcp from $fwips to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from $fwips to any keep state
pass out quick log on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state
pass out quick log on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out quick log on $ext_if2 route-to ($ext_if $ext_gw1) from $ext_if to any
##################################################
#Firewall Ext_if2'ye Gelisler
##################################################
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from any to
$ext_if2:0 port 25 keep state
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from any to
$ext_if2:0 port 80 keep state
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from any to
$ext_if2:0 port 110 keep state
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from any to
$ext_if2:0 port 500 keep state
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from
<disbirim> to $ext_if2:0 port 1723 keep state
pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto gre from
<disbirim> to $ext_if2:0 keep state
FreeBSD 6 kitabi: http://www.acikakademi.com/catalog/freebsd6
---------------------------------------------------------------------
Listeye soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz.
Cikmak icin, e-mail: [EMAIL PROTECTED]
Liste arsivi: http://news.gmane.org/gmane.org.user-groups.bsd.turkey
