PF Anchor
Добавлено: 2009-06-24 1:02:39
хочу сделать anchor добавляющий в конфиг pf правило пропукающее icq
pf.conf
перезагружаю правила, затем пишу :
но правило не загружается. Что я делаю не так? ман читал, но там anchor удивительно мало уделено внимания.
pf.conf
Код: Выделить всё
#############_____create macros for interfaces & networks_____#################
ext_if="xl0"
int_if="sis0"
pdc="192.168.1.1"
int_ip="192.168.1.2"
ext_ip="192.168.0.1"
tcp_services="{ 22, 113 }"
admin_ports="{22}"
system_services="{domain, ntp}"
client_to_internet = "{http,https,pop3,smtp}"
icmp_types="echoreq"
CY5="192.168.1.4"
client1="192.168.1.3"
LAN="192.168.1.0 /24"
###############################____TABLES_____#############################
###############################____options____#############################
set block-policy return
set loginterface $int_if
set skip on lo
###############################_____Scrub_____###############################
scrub in
###############################_____ALTQ_____################################
altq on $int_if cbq bandwidth 100Mb queue {int_net_out, dmz_net_out}
queue int_net_out on $int_if bandwidth 4Mb {std_out, client1_out}
queue std_out on $int_if bandwidth 3750Kb cbq (default, red) borrow
queue client1_out on $int_if bandwidth 250Kb cbq
queue dmz_net_out on $int_if bandwidth 96Mb cbq (red)
###############################_____NAT____##################################
nat on $ext_if from !($ext_if) to any -> ($ext_if)
##############################_____Redirect___################################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
###########################_____Filter Section_____###########################
anchor "ftp-proxy/*"
block log(all) all
pass out log keep state
pass in log(all) inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if inet proto tcp from $LAN to any port $client_to_internet queue std_out
pass in on $int_if inet proto {tcp} from $CY5 to any port $admin_ports
pass in on $int_if inet proto udp from $pdc to any port $system_services
pass in on $int_if inet proto tcp from $father to any port $client_to_internet queue client1_out
anchor "clients:icq"
Код: Выделить всё
echo "pass in on 192.168.1.2 inet proto udp from 192.168.1.0/24 to any port 5190" | pfctl -a clients:icq -f -