Прочитал статью о PF. Решил попробовать и обломался.Вроде делаю все как написано в faq openbsd.org и ничо не натится ...
rl0:192.168.60.57/29 - внутренний интерфейс
ep0:10.20.30.107/24 - внешний интерфейс/etc/pf.conf :
WAN_INTERFACE = "ep0"
LAN_INTERFACE = "rl0"pass all
pass in on $LAN_INTERFACE from $LAN_NET to any
pass out on $LAN_INTERFACE from any to $LAN_NETpass out on $WAN_INTERFACE from any to $WAN_NET
pass out on $WAN_INTERFACE from any to $WAN_NETnat on ep0 from 192.168.60.56/29 to any -> 10.20.30.107
и ничего не робит ...
ядро пересобрал с опциями pf (FreeBSD 6.1-RELEASE-p10 #0):
device pf
device pflog
device pfsync
options ALTQможет кто чего подскажет ? уж очень хочется поюзать pf в будущем :-)
Мне так кажется, вот это правило должно первым идти...>nat on ep0 from 192.168.60.56/29 to any -> 10.20.30.107
Порядок ВАЖЕН
>Мне так кажется, вот это правило должно первым идти...
>
>>nat on ep0 from 192.168.60.56/29 to any -> 10.20.30.107
>
>Порядок ВАЖЕНбольшое спасибо. помогло ! (*___*)
И блин... pass all с отвутствием заперщающих правил... пропускает ВСЕ!!!
Original s OBSD 4.0
# cat /etc/pf.conf# $RuOBSD: pf.conf,v 1.10 2006/04/22 16:38:09 form Exp $
# izmeneno i adaptirovano dla gards.lv
# A. Vinogradov aka slepnoga 4.01.2007
# gentoo@tau.lv
# Primer nastrojki PF dlya marshrutizatora s translyaciej adresov
# zavoracivaem ves www na squid+sarg po prosbe rukovodstava
# firmi dla otceta po sotrudnikam :)
# advanser uzeram zarezem www mimo proxy
# snaruzi dostupno tolko smtp i ssh
# politika icmp zavisit ot nastroenija :)
# WAN LAN
# | +------------+
# | | |
# +-rl0----fxp0+ +----------------+
# | | | 10.10.10.0\24 |
# +------------+ +----------------+# Vneshnij i vnutrennij interfejsy.
#
ext_if = "rl0"
int_if = "fxp0"
lo = "lo0"
squid = "3128"
# TCP/UDP servisy, obsluzhivaemye marshrutizatorom.
#
tcp_svc = " ssh smtp www pop3 "
udp_svc = "domain"# TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#tcp_rdr = "3389"
#host_rdr = "10.10.10.2"
# Tablicy chernogo i belogo spiskov dlya spamd.
#
#table <spamd> persist
#table <spamd-white> persist
#3333333333333333333333333333333333333333333
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set debug urgent
set block-policy drop
set skip on lo0
# Vypolnit' normalizaciyu vseh paketov.
scrub in on ! $lo all fragment reassemble
# Translirovat' vnutrennie adresa v (osnovnoj) adres vneshnego interfejsa.
#
#nat on $int_if inet proto tcp to port www -> $int_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Podklyuchit' nat/rdr pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# rdr pass
# Propustit' FTP cherez transparent proxy.
#
rdr on $int_if proto tcp to !(self) port ftp -> 127.0.0.1 port 8021
# Perenapravit' adresa iz chernogo spiska v spamd.
#
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
# Perenapravit' adresa, ne vhodyashchie v belyj spisok v spamd (ispol'zuetsya
# v rezhime greylist.
#
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
# Pereadresovat' TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#rdr pass on $ext_if proto tcp to port { $tcp_rdr } -> $host_rdr
#pereadresacija na proxy-server squid iz vn. setii
rdr on $int_if inet proto tcp to port www -> 127.0.0.1 port $squid
# Zashchita ot IP spoofing.
#
pass quick on { lo $int_if }
antispoof log quick for $ext_if
# Podklyuchit' pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
anchor "ftp-proxy/*"
# Po umolchaniyu blokirovat' vse na vneshnem interfejse. Dlya TCP soedinenij
# vozvrashchat "molca glushim"
#
block on $ext_if
# blkiruem skan NMAPom :)
block in quick from any os NMAP
# Razreshit' ishodyashchie ICMP ping pakety, lyuboj UDP trafik i TCP soedineniya.
#
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass out on $ext_if proto tcp flags S/SA keep state
# Razreshit' vhodyashchie ICMP ping pakety, obsluzhivaemye UDP i TCP servisy.
#
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
#pass in on $ext_if proto udp to port { $udp_svc } keep state
pass in on $ext_if proto tcp to port { $tcp_svc } flags S/SA synproxy state
anchor "ftp-proxy/*"
# Razreshit' vhodyashchie TCP soedineniya dlya FTP proxy.
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state
# nano /etc/pf.conf
# cat /etc/pf.conf# $RuOBSD: pf.conf,v 1.10 2006/04/22 16:38:09 form Exp $
# izmeneno i adaptirovano dla gards
# A.Vinogradov aka slepnoga 01.2007
#
# Primer nastrojki PF dlya marshrutizatora s translyaciej adresov
# zavoracivaem ves www na squid+sarg po prosbe rukovodstava
# firmi dla otceta po sotrudnikam :)
# advanser uzeram zarezem www mimo proxy
# snaruzi dostupno tolko smtp i ssh
# politika icmp zavisit ot nastroenija :)
# WAN LAN
# | +------------+
# | | |
# +-rl0----fxp0+ +----------------+
# | | | 10.10.10.0\24 |
# +------------+ +----------------+# Vneshnij i vnutrennij interfejsy.
#
ext_if = "rl0"
int_if = "fxp0"
lo = "lo0"
squid = "3128"
# TCP/UDP servisy, obsluzhivaemye marshrutizatorom.
#
tcp_svc = " ssh smtp www pop3 "
udp_svc = "domain"# TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#tcp_rdr = "3389"
#host_rdr = "10.10.10.2"
# Tablicy chernogo i belogo spiskov dlya spamd.
#
#table <spamd> persist
#table <spamd-white> persist
#3333333333333333333333333333333333333333333
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set debug urgent
set block-policy drop
set skip on lo0
# Vypolnit' normalizaciyu vseh paketov.
scrub in on ! $lo all fragment reassemble
# Translirovat' vnutrennie adresa v (osnovnoj) adres vneshnego interfejsa.
#
#nat on $int_if inet proto tcp to port www -> $int_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Podklyuchit' nat/rdr pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# rdr pass
# Propustit' FTP cherez transparent proxy.
#
rdr on $int_if proto tcp to !(self) port ftp -> 127.0.0.1 port 8021
# Perenapravit' adresa iz chernogo spiska v spamd.
#
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
# Perenapravit' adresa, ne vhodyashchie v belyj spisok v spamd (ispol'zuetsya
# v rezhime greylist.
#
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
# Pereadresovat' TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#rdr pass on $ext_if proto tcp to port { $tcp_rdr } -> $host_rdr
#pereadresacija na proxy-server squid iz vn. setii
rdr on $int_if inet proto tcp to port www -> 127.0.0.1 port $squid
# Zashchita ot IP spoofing.
#
pass quick on { lo $int_if }
antispoof log quick for $ext_if
# Podklyuchit' pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
anchor "ftp-proxy/*"
# Po umolchaniyu blokirovat' vse na vneshnem interfejse. Dlya TCP soedinenij
# vozvrashchat "molca glushim"
#
block on $ext_if
# blkiruem skan NMAPom :)
block in quick from any os NMAP
# Razreshit' ishodyashchie ICMP ping pakety, lyuboj UDP trafik i TCP soedineniya.
#
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass out on $ext_if proto tcp flags S/SA keep state
# Razreshit' vhodyashchie ICMP ping pakety, obsluzhivaemye UDP i TCP servisy.
#
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
#pass in on $ext_if proto udp to port { $udp_svc } keep state
pass in on $ext_if proto tcp to port { $tcp_svc } flags S/SA synproxy state
anchor "ftp-proxy/*"
# Razreshit' vhodyashchie TCP soedineniya dlya FTP proxy.
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state
#