forum.lissyara.su

Добавлено: **2010-07-26 16:27:50**

pf.conf:

##--macroses
int_if="vr0" #local interfaces
ext_if="tun0" # pppoe
ext_ip="111.111.111.111"
dns_serv="192.168.0.3" #dns bind
proxy_if="lo0" #localhost
proxy_port="3128" #squid port
localnet="{192.168.0.0/24,192.168.1.0/24, 192.168.102.0/24,192.168.2.0/24,192.168.5.0/24}"
server5="192.168.0.5" # 
server4="192.168.0.4" #
server2="192.168.0.2"
table <BRUTEFORCERS> persist


##--options
set skip on lo0
set block-policy drop
set timeout { frag 10, tcp.established 3600 }
scrub in all
##--nat & rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#proxy
rdr on $int_if proto tcp from $int_if:network to any port www -> $proxy_if port $proxy_port
# rdr from inet to me:rdp
rdr on $ext_if proto tcp from any to $ext_if port rdp -> $server5 port rdp
rdr on $ext_if proto tcp from any to $ext_if port 1126 -> $server4 port 1126
rdr on $ext_if proto tcp from any to $ext_if port 333 -> $server4 port rdp
rdr on $ext_if proto tcp from any to $ext_if port 334 -> $server2 port rdp
##--rules
block all
antispoof log quick for { lo0, $int_if, $ext_if }
block drop log quick from <BRUTEFORCERS>
########################################################################
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
########################################################################
block drop quick from 192.168.0.234 to 192.168.0.6
block drop quick on 192.168.0.6 to 192.168.0.234
########################################################################
#propuskaem ves trafic v i iz localnoy seti
pass in  on $int_if from $localnet to any no state
pass out on $int_if from any to $localnet no state
pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto {udp icmp} all keep state
####################
# RDP (tcp)
pass in  on $ext_if proto tcp from any     to $server5  port rdp synproxy state
pass out on $int_if proto tcp from any     to $server5  port rdp modulate state
pass in  on $ext_if proto tcp from any     to $server4  port {1126,333,334,rdp} synproxy state
pass out on $int_if proto tcp from any     to $server4  port {1126,333,334,rdp} modulate state
pass in  on $ext_if proto tcp from any     to $server2  port {334,rdp} synproxy state
pass out on $int_if proto tcp from any     to $server2  port {334,rdp} modulate state
#ssh
pass in on $ext_if proto tcp from any to $ext_if port 222
#FTP Server
 pass in on $ext_if proto {tcp,udp} from any to ($ext_if) port {21,20,10000:65535} keep state ( max-src-conn-rate 5/300,overload <BRUTEFORCERS> flush global )
pass log inet proto icmp all

блокирую доступ так:
block drop quick from 192.168.0.234 to 192.168.0.6
block drop quick on 192.168.0.6 to 192.168.0.234

доступ от 192.168.0.234 к 192.168.0.6 заблокировать не удается. Почему? Не могу разобраться.
Заранее благодарен за ответы!

Добавлено: **2010-07-26 19:14:15**

Если я правильно протелепатировал, то попробуй
1. переписать правилы:

Код: Выделить всё

 block in quick on $int_if inet from 192.168.0.6 to $int_if
block out quick on $int_if inet from $int_if to 192.168.0.6

2. Поставь /usr/ports/sysutils/pftop и посмотри в нём, через какое правило у тебя трафик ползёт.

forum.lissyara.su

Помогите разобраться с блокировкой по IP pf

Помогите разобраться с блокировкой по IP pf

Re: Помогите разобраться с блокировкой по IP pf