pf.rules

[uHk]

начал изучать pf, вот нарисовал топологию (см. приложение)
хотелось бы услышать критики

Код: Выделить всё

ext1_if=			#192.168.100.101
ext2_if=			#192.168.101.101
ext3_if=			#SHDSL
club_if="stge0"
local_if="rl1"

local_net="192.168.3.0/24"
club_net="192.168.1.0/24"
vpn_net="192.168.5.0/24"
local_vip="192.168.3.242"
utk_net="62.183.88.0/22,83.239.244.0/22,85.172.164.0/22,85.172.80.0/21,85.173.144.0/20"

set block-policy drop
set skip on lo0
scrub in all fragment reassemble
scrub out all random-id max-mss 1440

nat on $ext1_if inet from { $club_net, $vpn_net, $local_net } to any -> 192.168.100.101
nat on $ext2_if inet from { $club_net, $vpn_net, $local_net } to any -> 85.173.150.xx
nat on $ext3_if inet tagged SHDSL -> 85.172.81.19

antispoof quick for { $club_if, $local_if, $ext_if }
blocl all

############################################################
#                       club_if 
############################################################
pass in quick on $club_if from $club_net to { $club_net, $local_net, $vpn_net }
pass out on $club_if from any to $club_net
pass in on $club_if route-to ($ext3_if  85.172.81.17) proto tcp from $club_net to $utk_net flags S/SA modulate state tag SHDSL
pass in on $club_if route-to ($ext3_if  85.172.81.17) proto { udp, icmp } from $club_net to $utk_net keep state tag SHDSL
pass in on $club_if route-to ($ext2_if 85.173.150.1) proto tcp from $club_net to any port { 8086, 7777, 2106} flags S/SA modulate state
pass in on $club_if route-to ($ext2_if 85.173.150.1) proto udp from $club_net to any port 1513 keep state
pass in on $club_if route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $club_net to any flags S/SA modulate state
pass in on $club_if route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $club_net to any keep state

############################################################
#                       local_if 
############################################################
pass in quick on $local_if from $local_net to { $club_net, $local_net, $vpn_net }
pass out on $local_if from any to $local_net
pass in on $local_if route-to ($ext3_if  85.172.81.17) proto tcp from $local_vip to $utk_net flags S/SA modulate state tag SHDSL
pass in on $local_if route-to ($ext3_if  85.172.81.17) proto { udp, icmp } from $local_vip to $utk_net keep state tag SHDSL
pass in on $local_if route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $local_vip to any flags S/SA modulate state
pass in on $local_if route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $local_vip to any keep state
###################################################################

############################################################
#                       vpn_if 
############################################################
pass in quick from $vpn_net to { $club_net, $local_net, $vpn_net }
pass out from any to $vpn_net
pass in route-to ($ext3_if  85.172.81.17) proto tcp from $vpn_net to $utk_net flags S/SA modulate state tag SHDSL
pass in route-to ($ext3_if  85.172.81.17) proto { udp, icmp } from $vpn_net to $utk_net keep state tag SHDSL
pass in route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $vpn_net to any flags S/SA modulate state
pass in route-to { ($ext1_if  192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $vpn_net to any keep state
###################################################################

pass out on $ext1_if proto tcp from any to any flags S/SA modulate state
pass out on $ext1_if proto { udp, icmp } from any to any keep state
pass out on $ext2_if proto tcp from any to any flags S/SA modulate state
pass out on $ext2_if proto { udp, icmp } from any to any keep state
pass out on $ext3_if proto tcp from any to any flags S/SA modulate state
pass out on $ext3_if proto { udp, icmp } from any to any keep state

pass out on $ext1_if route-to ($ext1_if  192.168.100.102) inet proto icmp from {$ext1_if, $ext2_if} to {193.239.250.34, 199.202.238.18}	#ping www.ua, #www.net
pass out on $ext2_if route-to ($ext1_if  192.168.100.102) inet proto icmp from {$ext1_if, $ext2_if} to {193.239.250.34, 199.202.238.18}	#ping www.ru
pass out on $ext1_if route-to ($ext2_if 85.173.150.1) inet proto icmp from {$ext1_if, $ext2_if} to {194.87.0.50}
pass out on $ext2_if route-to ($ext2_if 85.173.150.1) inet proto icmp from {$ext1_if, $ext2_if} to {194.87.0.50}
pass out on $ext1_if route-to ($ext2_if 85.173.150.1) from $ext2_if to any 
pass out on $ext2_if route-to ($ext1_if  192.168.100.102) from $ext1_if to any
pass out on $ext3_if route-to ($ext3_if  85.172.81.17) from 85.172.81.19 to any

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[zingel]

а что не работает, на что грешите?

[uHk]

а я пока не вводил это
одного не пойму, во всех правилах встречается

Код: Выделить всё

flags S/SA

. в манах написано, что такие правила словят только пакеты установления связи,
т.е. установленные соединения пройдут минуя PF. правильный ход мыслей ?

еще нюанс с интерфейсами ng*. в колонках

Код: Выделить всё

club_if, local_if

указывал во всех правилах интерфейс.
как быть с ng* ?
PS: юзаю mpd4

[zingel]

. в манах написано, что такие правила словят только пакеты установления связи,
т.е. установленные соединения пройдут минуя PF. правильный ход мыслей ?

начнём с того, что у тебя всё пойдёт через pf