我写了个pf作防火墙的文档,大家给看看有什么问题和需要修改的地方
方案:1.现有10M的外网接入到fxp0,然后给fxp1 dmz区分 2M,给fxp2 int区分8M
2.出去的服务器地址有固定ip信用并限制固定端口外发
3.dmz区与int区可互访
|
|
wan 10m
|
|
bsd+pf---int 8m---juniper FW---mail and web server
|
|
dmz 2M
|
|
dns server---db server
问题:
1.请大家帮忙看看在nat和互访方面那配置的有问题
2.我仅是用altq作带宽分配,而不对具体协议作流量限制,不知altq部分还需要补充些什么
我的配置如下:
设置开机运行
#vi /etc/rc.conf.local
ifconfig_fxp0="inet x.x.x.1 netmask 255.255.255.240"
ifconfig_fxp_alias0="inet x.x.x.2 netmask 255.255.255.240"
ifconfig_fxp_alias1="inet x.x.x.3 netwask 255.255.255.240"
ifconfig_fxp_alias2="inet x.x.x.4 netwask 255.255.255.240"
ipconfig_fxp1="inet 192.168.2.1 netmask 255.255.255.0"
ipconfig_fxp2="inet 192.168.3.1 netmask 255.255.255.252"
hostname="bsd"
defaultrouter="x.x.x.1"
gateway_enable="YES"
sshd_enable="YES"
inetd_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
pf="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
2.配置规则
#macros
ext_if="fxp0"
dmz_if="fxp1"
int_if="fxp2"
tcp_services="{25,53,80,110,5900}"
udp_services="{53}"
icmp_types="echoreq"
priv_nets="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
dns_server="192.168.2.2"
db_server="192.168.2.3"
mail_server="192.168.3.2"
web_server="192.168.3.3"
dns_extip="x.x.x.2"
web_extip="x.x.x.3"
mail_extip="x.x.x.4"
#options
set block-policy return
set loginterface $ext_if
#scrub
scrub in all
#nat/rdr
binat on $ext_if from $dns_server port { 53 80 } to any -> $dns_extip
binat on $ext_if from $web_server port { 53 80 } to any -> $web_extip
binat on $ext_if from $mail_server port { 25 53 80 110 } to any -> $mail_extip
rdr on $ext_if proto tcp from any to $mail_extip port { 25 53 80 110 } -> $mail_server
rdr on $ext_if proto tcp from any to $dns_extip port { 53 80 } -> $dns_server
rdr on $ext_if proto tcp from any to $web_extip port { 53 80 } -> $web_server
rdr on $ext_if proto udp from any to any port 53 -> $dmz_if:network
rdr on $ext_if proto udp from any to any port 53 -> $int_if:network
#filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in quick on $ext_if proto tcp from any to $mail_server port { 25 53 80 110 } flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $dns_server port { 53 80 } flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $web_server port { 53 80 } flags S/SA synproxy state
pass in quick on $ext_if proto udp from any to any port 53 flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $dmz_if form $dmz_if:network to any keep state
pass in on $int_if form $int_if:network to any keep state
pass out on $dmz_if form any to $dmz_if:network keep state
pass out on $int_if form any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp,icmp} all keep state
#ALTQ
altq on fxp1 cbq 2Mb
altq on fxp2 cbq 8Mb
3.建立端口路由
#vi /etc/sysctl.conf
net.inet.ip.forwarding=1
[ 本帖最后由 peanut 于 2008-12-25 17:27 编辑 ] 顶!不错的策略~
页:
[1]