PF 2 wan
Добавлено: 2013-05-17 14:29:38
Приветствую всех, имеется шлюз на OpenBSD 5.2
Внутренняя сеть - int=192.168.0/24
Внешняя1=46.45.32.78
Внешняя2=46.45.32.79
Шлюз у обоих одинаковый, надо, чтобы часть ip из внутренней сети ходила через 78, и часть через 79. Создал 2 таблицы с адресами. Через 79 идет, через 78 никак
Вот мой PF:
Внутренняя сеть - int=192.168.0/24
Внешняя1=46.45.32.78
Внешняя2=46.45.32.79
Шлюз у обоих одинаковый, надо, чтобы часть ip из внутренней сети ходила через 78, и часть через 79. Создал 2 таблицы с адресами. Через 79 идет, через 78 никак
Вот мой PF:
Код: Выделить всё
ext78="rl0"
ext79="re0"
int="fxp0"
squid="{ 3128 }"
buh="{ 4433, 7500 }"
udp="{ domain, ntp }"
icmp_types="{ echoreq unreach }"
mstate="flags S/SAFR modulate state"
webserver1="192.168.1.2"
webserver2-"192.168.1.3"
webports="{ http, https, 5005, 7777 }"
table <buh> { 192.168.1.124, 192.168.1.25, 192.168.1.14 }
table <squid> { 46.45.19.166, 46.45.32.81 }
table <local78> persist file "/etc/local78"
table <local79> persist file "/etc/local79"
# Normalize & some defend
set skip on lo0
set state-policy if-bound
antispoof quick for { $ext78, $ext79 }
set timeout { frag 10, tcp.established 3600, tcp.closing 90 }
match on { $ext78, $ext79 } all scrub (no-df random-id set-tos reliability max-mss 1472)
# NAT
match out on $ext78 from <local78> nat-to ($ext78)
match out on $ext79 from <local79> nat-to ($ext79)
# BLOCK TRASHES
block log all
pass in on $ext78 inet proto tcp to $ext78 port $webports rdr-to $webserver
pass in on $ext79 inet proto tcp to $ext79 port $webports rdr-to $webserver2
anchor "ftp-proxy/*"
pass in quick on $int proto tcp from $local to port ftp rdr-to 127.0.0.1 port 8021
pass in on $ext78 inet proto tcp from any to $ext78 port ftp $mstate rdr-to 127.0.0.1 port 8022
pass in on $ext79 inet proto tcp from any to $ext79 port ftp $mstate rdr-to 127.0.0.1 port 8023
# DNS & NTP
pass quick inet proto { tcp, udp } to port $udp keep state
pass inet proto gre keep state
pass inet proto tcp to port 1723 keep state
pass inet proto icmp icmp-type $icmp_types keep state
# LOCAL
pass in on $int from $local to any
pass out on $int from any to $local
# LOCAL OUT TO WORLD
pass out on $ext78 inet proto tcp from <local78> to any keep state
pass out on $ext79 inet proto tcp from <local79> to any keep state
# RDR_TO LAN
pass in on $ext78 inet proto { tcp, udp } to $ext78 port $buh rdr-to <buh>
pass in on $ext78 inet proto tcp to $ext78 port 4850 rdr-to $me port 4899
pass in on $ext78 inet proto { tcp, udp } to $ext78 port 62549 rdr-to $me
pass in on $ext78 inet proto tcp to $ext78 port 4888 rdr-to $webserver port 5901
# PASS ALL FROM SERVER
pass out on $ext78 inet proto tcp from $ext78 to any $mstate
pass out on $ext79 inet proto tcp from $ext79 to any $mstate
# PASS FROM WORLD TO PROXY
pass in on $ext78 inet proto tcp from <squid> to $ext78 port $squid keep state
pass in on $ext79 inet proto tcp from <squid> to $ext79 port $squid keep state
# PASS IN SSH
pass in on $ext78 proto tcp from any to $ext78 port ssh synproxy state ( max-src-conn-rate 1/60 )