Ahoj,
> >
> Mohu videt konfiguraci PF ? (samozrejme bez primych address :)
> Vilem
klidne, uz jsem ji osekal pri experimentech tak, ze tam nezustalo skoro nic,
pouze jsem vyhodil binat rules, bylo jich tam fakt hodne:
**************************************************************************************************
set limit { states 1000000, frags 1000000, src-nodes 500 }
set optimization aggressive
# Sitova rozhrani
ext_if = "em0"
int_if = "em1"
# Externi adresa
ext_addr = "178.255.168.19"
# Odstrizeni klienti
table <neplatici> persist file "/usr/local/etc/pf/neplatici"
# Spammers
table <verejna_ip> persist file "/usr/local/etc/pf/verejna_ip"
smtp_addr = "92.62.224.69"
# Klienti a jejich verejna ip
int_klient = "xxxx vnitrni" # ukazka binat, vnitrni ip
ext_klient = "yyyy vnejsi" # ukazka binat, vnejsi ip
scrub all fragment reassemble no-df
# Zakladni natovani
nat on $ext_if from "10.1.0.0/16" -> $ext_addr
# Natovani klientu
binat on $ext_if from $int_klient to any -> $ext_klient
# Odstrizeni klienti
rdr proto tcp from <neplatici> to any port 80 -> 172.16.163.2 port 80
# Firewall - pokusy
#block quick from any to em1:broadcast
#block log quick inet proto icmp from any to any icmp-type redir
#block quick on vlan1001 proto icmp
# Spammers
block proto tcp from 10.0.0.0/8 to any port smtp
pass proto tcp from 10.0.0.0/8 to $smtp_addr port smtp
pass proto tcp from <verejna_ip> to any port smtp
# Odstrizeni klienti
block from <neplatici> to any
pass proto { tcp, udp } from <neplatici> to any port domain
pass proto tcp from <neplatici> to 172.16.163.2 port 80
**************************************************************************************************
--
FreeBSD mailing list ([email protected])
http://www.freebsd.cz/listserv/listinfo/users-l
