Помогите допилить PF плиз с двумя каналами
Добавлено: 2011-04-01 9:46:43
Вообщем на фре 2 канала разных провов, кое как настроил PF на распределение каналов по локальным IP, но заметил проблему:
заходить на локальные компы можно теперь только по IP, и на samba тоже. Больше проблем не заметил. Почта ходит, траффик ходит. С конфигом на 1 прова работает все.
Вот конфиг на 2 прова с которым проблемы
Вот конфиг на 1 прова с которым все работает уже пол года.
зы. знаю что с правилами намутил жестко, но работает 
заходить на локальные компы можно теперь только по IP, и на samba тоже. Больше проблем не заметил. Почта ходит, траффик ходит. С конфигом на 1 прова работает все.
Вот конфиг на 2 прова с которым проблемы
Код: Выделить всё
int_if="vr0"
int_if2="vlan0"
ext_if1="rl1"
ext_gw1="1.1.1.1"
ext_if2="rl0"
ext_gw2="2.2.2.2"
lan1="{ 192.168.12.0/24, !<lan2>, !<nolan> }"
lan3="{ 192.168.13.0/24 }"
table <lan2> persist { 192.168.12.16 }
table <nolan> persist { 192.168.12.231 }
ports="{ 22, 25, 143, 80, 443 }"
table <sshguard> persist
set skip on lo0
set block-policy return
scrub in all
nat on $ext_if2 from $lan1 to any -> $ext_if2
nat on $ext_if1 from <lan2> to any -> $ext_if1
block in log quick from <sshguard> label "ssh bruteforce"
pass out on $int_if from any to { $lan1, <lan2> }
pass in quick on $int_if from { $lan1 } to { $int_if, $ext_if2 }
pass in quick on $int_if from { <lan2> } to { $int_if, $ext_if1 }
pass in on $int_if route-to ($ext_if2 $ext_gw2) from $lan1 to any keep state
pass in on $int_if route-to ($ext_if1 $ext_gw1) from { <lan2> } to any keep state
pass out on $ext_if1 from any to any keep state
pass out on $ext_if2 from any to any keep state
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass in on { $ext_if1, $ext_if2 } proto tcp from any to { $ext_if1, $ext_if2 }
pass in quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) from any to $ext_if2
pass in quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) from any to $ext_if1
pass in inet proto icmp all icmp-type echoreq
Код: Выделить всё
int_if="vr0"
ext_if1="rl0"
ext_gw1="2.2.2.2"
lan1="{ 192.168.12.0/24}"
table <sshguard> persist
set skip on lo0
set block-policy return
scrub in all
nat on $ext_if1 from $lan1 to any -> $ext_if1
block in log quick from <sshguard> label "ssh bruteforce"
pass out on $int_if from any to $lan1
pass in quick on $int_if from $lan1 to { $int_if, $ext_if1 }
pass in on $int_if route-to ($ext_if1 $ext_gw1) from $lan1 to any keep state
pass out on $ext_if1 from any to any keep state
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass in on $ext_if1 proto tcp from any to $ext_if1
pass in quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) from any to $ext_if1
pass in inet proto icmp all icmp-type echoreq
