The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS


Индекс форумов
Составление сообщения

Исходное сообщение
"PF: Два канала и ограничение трафика"
Отправлено rush_alex, 14-Июн-12 12:25 
У меня в архиве валялось

# Включить трансляцию адресов на внешних интерфейсах.#
#nat on $ext_if_a inet from !(self) -> $ext_if_a
#nat on $ext_if_b inet from !(self) -> $ext_if_b
nat on $ext_if_a inet from !(self) tag TR !tagged TR -> $ext_if_a
nat on $ext_if_b inet from !(self) tag TR !tagged TR -> $ext_if_b

# FTP-PROXY
#no rdr on lo0 from any to any
rdr proto tcp from { $int_if:network, 192.168.4.0/24 } to !(self) port ftp -> lo0 port 8021
#rdr pass on $int_if proto tcp from  192.168.0.129 to any port {ftp} -> 192.168.0.4 port 2121

#HTTP всех на переадресовываем на Squid
#rdr pass on $int_if proto tcp from  any to any port http -> $int_if port 3128
rdr on $int_if proto tcp from  any to !<nosquid-list> port http -> $int_if port 3128
rdr on $int_if proto tcp from  !<white-list> to any port $ext_proxy -> $int_if port 3128
#rdr pass on $int_if proto tcp from  !<nosquid-list> to any port http -> $int_if port http
#rdr on $int_if proto tcp from any to any port $ext_proxy -> $int_if port 3128

# Переадресовать TCP сессии для сервисов, обслуживаемых локальным сервером.
# Правила rdr здесь НЕ должны содержать слова pass.
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $int_server2_port } tag EXT_IF_A -> $int_server2
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $int_server2_port } tag EXT_IF_B -> $int_server2

rdr on $ext_if_a inet proto tcp to $ext_if_a port { $ftp2ports } tag EXT_IF_A -> $ftp_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $ftp2ports } tag EXT_IF_B -> $ftp_lan_server
rdr on $ext_if_a inet proto tcp to $ext_if_a port { $ftp_ext_ports } tag EXT_IF_A -> $ftp_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $ftp_ext_ports } tag EXT_IF_B -> $ftp_lan_server

rdr on $ext_if_a inet proto tcp to $ext_if_a port { $videoports } tag EXT_IF_A -> $video_lan_server
rdr on $ext_if_b inet proto tcp to $ext_if_b port { $videoports } tag EXT_IF_B -> $video_lan_server

rdr on $ext_if_a inet proto tcp to $ext_if_a port { ssh } tag EXT_IF_A -> lo0 port ssh
rdr on $ext_if_b inet proto tcp to $ext_if_b port { ssh } tag EXT_IF_B -> lo0 port ssh
#rdr on $ext_if_b inet proto tcp to $ext_if_b port { ssh } tag EXT_IF_B -> lo0 port ssh

## SMTP-SPAM
##rdr on $ext_if_a inet proto tcp to $ext_if_a port { smtp } tag EXT_IF_A -> lo0 port smtp
rdr on $ext_if_a inet proto tcp from <spamd-whitelist> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port smtp
rdr on $ext_if_a inet proto tcp from <spamd> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port spamd
rdr on $ext_if_a inet proto tcp from !<spamd-white> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a  port spamd
rdr on $ext_if_a inet proto tcp from <spamd-white> to $ext_if_a port { smtp } tag EXT_IF_A -> $ext_if_a port smtp
#rdr on $ext_if_b inet proto tcp to $ext_if_b port { smtp } tag EXT_IF_B -> lo0 port smtp
rdr on $ext_if_b inet proto tcp from <spamd-whitelist> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port smtp
rdr on $ext_if_b inet proto tcp from <spamd> to $ext_if_b port { smtp } tag EXT_IF_B -> $ext_if_b port spamd
rdr on $ext_if_b inet proto tcp from !<spamd-white> to $ext_if_b port { smtp } tag EXT_IF_B ->  $ext_if_b port spamd
rdr on $ext_if_b inet proto tcp from <spamd-white> to $ext_if_b port { smtp } tag EXT_IF_B ->  $ext_if_b port smtp

# Разрешить подключение к переадресованным сервисам из локальной сети по
# внешним адресам.
#
rdr pass on $int_if inet proto tcp to { $ext_if_a $ext_if_b } port { $int_server2_port } tag INT_IF_RDR -> $int_server2

rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $ftp2ports } tag INT_IF_RDR -> $ftp_lan_server
rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $ftp_ext_ports } tag INT_IF_RDR -> $ftp_lan_server
rdr pass on $int_if inet proto tcp to { $int_if $ext_if_a $ext_if_b } port { $videoports } tag INT_IF_RDR -> $video_lan_server

nat on $int_if tagged INT_IF_RDR -> $int_if:0


# Перенаправляем определенные tcp по определенному каналу
#nat on $ext_if_b inet proto tcp from $ext_if_b to port 25 -> $ext_if_a  
#nat on !$int_if  inet proto {tcp udp } to port 53 tag TRANSFER !tagged TRANSFER  -> {($ext_if_a),($ext_if_b)}
#nat on !$int_if  inet proto tcp to port http tag TRANSFER !tagged TRANSFER  -> { ($ext_if_a:0) , ($ext_if_b:0) }

# По умолчанию блокировать весь трафик на всех интерфейсах. Для входящих TCP
# соединений возвращать RST.
block log on { $ext_if_a $ext_if_b $int_if}
block return log on { $ext_if_a $ext_if_b $int_if} inet proto tcp
# Blok by rfc1918
block  in quick on  { $ext_if_a $ext_if_b } from <rfc1918> to any
# Blok by white-list and block-list
block  in quick on $int_if from !<white-list> to <block-list>
#teamviever
block in quick on $int_if inet proto {tcp udp} from any to any port 5938

# pass traffic on the loopback interface in either direction
pass in on lo0 all
#pass quick on lo0 all
pass out on lo0 all

##  pass all outgoing packets on internal interface
#pass out on $int_if from any to $int_if:network
##  pass in quick any packets destined for the gateway itself
#pass in quick on $int_if from $int_if:network to $int_if

#Разрешить доступ через лок интерфейс к терминал серверу
pass out quick on $int_if inet proto tcp from any to $int_server1 port {$int_server1_port} keep state queue iif_sound
pass out quick on $int_if inet proto tcp from any to $int_server2 port {$int_server2_port} keep state queue iif_sound

pass out quick on { $int_if } inet proto tcp from any to { $ftp_lan_server } port { $ftp2ports } keep state queue iif_sound
pass out quick on { $int_if } inet proto tcp from any to { $ftp_lan_server } port { $ftp_ext_ports } keep state queue iif_sound
pass out quick on { $int_if } inet proto tcp from any to { $video_lan_server } port { $videoports } keep state queue iif_sound

# Пропускаем входящие пакеты для переадресованых сервисов. Устанавливаем
# для них симметричную маршрутизацию (если пакет пришел
# из канала A, ответ пойдет через канал A независимо от default route)
pass in quick reply-to ($ext_if_a $ext_gw_a) tagged EXT_IF_A keep state
pass in quick reply-to ($ext_if_b $ext_gw_b) tagged EXT_IF_B keep state
#pass in reply-to ($ext_if_a $ext_gw_a) tagged EXT_IF_A keep state
#pass in reply-to ($ext_if_b $ext_gw_b) tagged EXT_IF_B keep state

# Выпускать исходящие пакеты. Установить маршрутизацию в зависимости от
# адреса источника. Пакеты с адресом интерфейса A уходят в канал A,
# с адресом интерфейса B - в канал B.
pass out route-to ( $ext_if_a $ext_gw_a ) inet from $ext_if_a keep state
pass out log route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {smtp} keep state queue eif_a_smtp
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto udp from $ext_if_a to port {$1ext_ext_serv_udp} keep state queue eif_a_sound
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$1ext_ext_serv} keep state queue eif_a_sound
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$2ext_ext_serv} keep state queue eif_a_ftp
pass out route-to ( $ext_if_a $ext_gw_a ) inet proto tcp from $ext_if_a to port {$3ext_ext_serv} keep state queue eif_a_http

pass out route-to ( $ext_if_b $ext_gw_b ) inet from $ext_if_b keep state
pass out log route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {smtp} keep state queue eif_b_smtp
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto udp from $ext_if_b to port {$1ext_ext_serv_udp} keep state queue eif_b_sound
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$1ext_ext_serv} keep state queue eif_b_sound
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$2ext_ext_serv} keep state queue eif_b_ftp
pass out route-to ( $ext_if_b $ext_gw_b ) inet proto tcp from $ext_if_b to port {$3ext_ext_serv} keep state queue eif_b_http

# Разрешить входящие ICMP PING пакеты.#
pass in on $ext_if_a reply-to ($ext_if_a $ext_gw_a) inet proto icmp to $ext_if_a icmp-type echoreq code 0 keep state queue eif_a_sound
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto icmp to $ext_if_b icmp-type echoreq code 0 keep state queue eif_b_sound

# Разрешить входящие TCP сессии для обслуживаемых сервисов.#
#pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet to $ext_if_a

pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto udp to $ext_if_a port { $1ext_int_serv_udp } queue eif_a_sound
pass in log on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port smtp keep state queue eif_a_smtp
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $1ext_int_serv } flags S/SA keep state queue eif_a_sound
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $2ext_int_serv } flags S/SA keep state queue eif_a_ftp
pass in on $ext_if_a reply-to ( $ext_if_a $ext_gw_a) inet proto tcp to $ext_if_a port { $3ext_int_serv } flags S/SA keep state queue eif_a_http

#pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet to $ext_if_b

pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto udp to $ext_if_b port { $1ext_int_serv_udp } keep state queue eif_b_sound
pass in log on $ext_if_b reply-to ( $ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port smtp keep state queue eif_b_smtp
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $1ext_int_serv } flags S/SA keep state queue eif_b_sound
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $2ext_int_serv } flags S/SA keep state queue eif_b_ftp
pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp to $ext_if_b port { $3ext_int_serv } flags S/SA keep state queue eif_b_http

#pass in on $ext_if_a reply-to ($ext_if_a $ext_gw_a) inet proto tcp from any to $ext_if_a user proxy keep state
#pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto tcp from any to $ext_if_b user proxy keep state

#block in quick on $int_if inet proto tcp from <block-list-in> to any port {3128 80 8080 8081}

#Разрешить в локалку пакеты от внутреннего интерфейса, из локальных сетей
# туннелей
pass out on $int_if inet from { $int_if:0, 192.168.3.0/24, 192.168.4.0/24 } to $int_if:network:0 keep state
pass out on $int_if inet proto tcp from { $int_if:0 } port { $1int_int_serv } to $int_if:network:0 keep state queue iif_sound
pass out on $int_if inet proto tcp from { $int_if:0 } port { $2int_int_serv } to $int_if:network:0 keep state queue iif_ftp
pass out on $int_if inet proto tcp from { $int_if:0 } port { $3int_int_serv } to $int_if:network:0 keep state queue iif_http


#Разрешить из локалки пакеты на внутренний интерфейс, в локальные сети
# туннелей
pass in on $int_if inet from $int_if:network:0 to { 192.168.3.0/24, 192.168.4.0/24 } keep state
pass in on $int_if inet proto udp from $int_if:network:0 to self port { $1int_int_serv_udp } keep state queue iif_sound
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $1int_int_serv } keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to self port { $2int_int_serv } keep state queue iif_ftp
pass in on $int_if inet proto tcp from !<block-list-in> to self port { $3int_int_serv } keep state queue iif_http

#Разрешить из локалки пинг
pass in on $int_if inet proto icmp from $int_if:network:0 to any icmp-type echoreq code 0 keep state

#Разрешить из локалки ext_ext_serv
pass in on $int_if inet from !<block-list-in> to !(self) keep state
pass in on $int_if inet proto udp from !<block-list-in> to !(self) port { $1ext_ext_serv_udp } keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $1ext_ext_serv } flags S/SA keep state queue iif_sound
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $2ext_ext_serv } flags S/SA keep state queue iif_ftp
pass in on $int_if inet proto tcp from !<block-list-in> to !(self) port { $3ext_ext_serv } flags S/SA keep state queue iif_http

#Разрешить из локалки int_int_serv
pass in on $int_if inet from any to $int_if keep state
pass in on $int_if inet proto udp from $int_if:network:0 to self port { $1int_int_serv_udp } keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $1int_int_serv } flags S/SA keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $2int_int_serv } flags S/SA keep state
pass in on $int_if inet proto tcp from $int_if:network:0 to self port { $3int_int_serv } flags S/SA keep state

 

Ваше сообщение
Имя*:
EMail:
Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
 
При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру