peanut 发表于 2008-12-25 15:12:19

我写了个pf作防火墙的文档,大家给看看有什么问题和需要修改的地方

方案:
1.现有10M的外网接入到fxp0,然后给fxp1 dmz区分 2M,给fxp2 int区分8M
2.出去的服务器地址有固定ip信用并限制固定端口外发
3.dmz区与int区可互访

|
|
wan 10m
|
|
bsd+pf---int 8m---juniper FW---mail and web server
|
|
dmz 2M
|
|
dns server---db server

问题:
1.请大家帮忙看看在nat和互访方面那配置的有问题
2.我仅是用altq作带宽分配,而不对具体协议作流量限制,不知altq部分还需要补充些什么

我的配置如下:
设置开机运行
#vi /etc/rc.conf.local
ifconfig_fxp0="inet x.x.x.1 netmask 255.255.255.240"
ifconfig_fxp_alias0="inet x.x.x.2 netmask 255.255.255.240"
ifconfig_fxp_alias1="inet x.x.x.3 netwask 255.255.255.240"
ifconfig_fxp_alias2="inet x.x.x.4 netwask 255.255.255.240"
ipconfig_fxp1="inet 192.168.2.1 netmask 255.255.255.0"
ipconfig_fxp2="inet 192.168.3.1 netmask 255.255.255.252"
hostname="bsd"
defaultrouter="x.x.x.1"
gateway_enable="YES"

sshd_enable="YES"
inetd_enable="YES"
syslogd_flags="-ss"

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

pf="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

2.配置规则
#macros
ext_if="fxp0"
dmz_if="fxp1"
int_if="fxp2"

tcp_services="{25,53,80,110,5900}"
udp_services="{53}"
icmp_types="echoreq"
priv_nets="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
dns_server="192.168.2.2"
db_server="192.168.2.3"
mail_server="192.168.3.2"
web_server="192.168.3.3"

dns_extip="x.x.x.2"
web_extip="x.x.x.3"
mail_extip="x.x.x.4"

#options
set block-policy return
set loginterface $ext_if

#scrub
scrub in all

#nat/rdr
binat on $ext_if from $dns_server port { 53 80 } to any -> $dns_extip
binat on $ext_if from $web_server port { 53 80 } to any -> $web_extip
binat on $ext_if from $mail_server port { 25 53 80 110 } to any -> $mail_extip

rdr on $ext_if proto tcp from any to $mail_extip port { 25 53 80 110 } -> $mail_server
rdr on $ext_if proto tcp from any to $dns_extip port { 53 80 } -> $dns_server
rdr on $ext_if proto tcp from any to $web_extip port { 53 80 } -> $web_server
rdr on $ext_if proto udp from any to any port 53 -> $dmz_if:network
rdr on $ext_if proto udp from any to any port 53 -> $int_if:network

#filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in quick on $ext_if proto tcp from any to $mail_server port { 25 53 80 110 } flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $dns_server port { 53 80 } flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $web_server port { 53 80 } flags S/SA synproxy state
pass in quick on $ext_if proto udp from any to any port 53 flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $dmz_if form $dmz_if:network to any keep state
pass in on $int_if form $int_if:network to any keep state
pass out on $dmz_if form any to $dmz_if:network keep state
pass out on $int_if form any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp,icmp} all keep state

#ALTQ
altq on fxp1 cbq 2Mb
altq on fxp2 cbq 8Mb

3.建立端口路由
#vi /etc/sysctl.conf
net.inet.ip.forwarding=1

[ 本帖最后由 peanut 于 2008-12-25 17:27 编辑 ]

elsa 发表于 2009-5-28 23:45:14

顶!不错的策略~
页: [1]
查看完整版本: 我写了个pf作防火墙的文档,大家给看看有什么问题和需要修改的地方