PF防火墙上开启迅雷下载的探讨
发表于 : 2011-03-27 8:46
起因: junfengfan兄的疑问,看这里: http://www.gobsd.org/showpost.php?p=4009
我们下面就上面的问题进行一下PF规则的测试,先说一下环境,因为最近一台旧主机(内网客户端)出了毛病,所以仅以虚拟机模拟内网windows主机,宿主机是win7,虚拟机为winxp,一台老机器用来跑OpenBSD担当dhcp服务器兼防火墙,实际上连接外网的设备是一台3600HGV路由器兼拨号器,因为设备刚来,我还是不太熟悉其性能,所以还未在该设备上打开相关的端口或禁用防火墙(家里还有其它的主机通过无线网络连接到该设备上)。
3600HGV——OpenBSD网关——win7客户端(宿主机,内建桥接的winxp)
OpenBSD网关连接内网的IP地址: 192.168.81.1
win7宿主机: 192.168.81.32
winxp桥接虚拟机:192.168.81.47
为了测试迅雷在p2p环境下的下载,找了一个emule资源,如果您要下载的是BT或其它p2p资源,道理也差不多。
以下是原来的pf配置文件,作用仅是普通网关
即使没有添加特殊的规则,因为原来的nat-to规则,所以主动连接的速度还是可以的。
刚开始下载速度还可以,但是不稳定,有时候速度瞬间降低至10KB/s以下。所以给gobsd.org文件加上相应的log规则以备抓包,然后运行tcpdump显示如下:
查看了一下迅雷的设定
发现阻止的全是50000以上的udp端口,原来想做对应的端口转换(21500,23801),但发现不行。
最后这样添加了一条规则:
再tcpfump一下,发现原来阻止的包基本上都通过了。
添加规则后速度尽管也不太稳定,但这可能和p2p下载的性质有关系,至少没有原来的频繁的速度大范围波动了。
现在的pf规则:
上面的规则理包含了log,请大家在调整好规则后自行删除。
感觉总体上不要限制迅雷的上传速度,让迅雷自己控制否则会影响下载速度。
注意:
以上内容仅为探讨,因为我在机器上很少用迅雷,也对其工作原理不是很清楚,本次仅仅是找一个比较大的文件进行测试,该资源我也并未下载完,所以也不排除偶然性,如果您更好的建议或觉得规则有不对的地方请不吝赐教。此外如果您准备长期使用类似的p2p规则,请勿忘记将应用迅雷的guest OS与其它guest OS隔离。
我们下面就上面的问题进行一下PF规则的测试,先说一下环境,因为最近一台旧主机(内网客户端)出了毛病,所以仅以虚拟机模拟内网windows主机,宿主机是win7,虚拟机为winxp,一台老机器用来跑OpenBSD担当dhcp服务器兼防火墙,实际上连接外网的设备是一台3600HGV路由器兼拨号器,因为设备刚来,我还是不太熟悉其性能,所以还未在该设备上打开相关的端口或禁用防火墙(家里还有其它的主机通过无线网络连接到该设备上)。
3600HGV——OpenBSD网关——win7客户端(宿主机,内建桥接的winxp)
OpenBSD网关连接内网的IP地址: 192.168.81.1
win7宿主机: 192.168.81.32
winxp桥接虚拟机:192.168.81.47
为了测试迅雷在p2p环境下的下载,找了一个emule资源,如果您要下载的是BT或其它p2p资源,道理也差不多。
以下是原来的pf配置文件,作用仅是普通网关
代码: 全选
# cat /etc/gobsd.org
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = "dc0"
mycomputer = "re1"
switch = "re0"
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
pass # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in on $ext_if inet proto { tcp udp icmp} from any to any
pass in quick on $mycomputer inet proto tcp to $mycomputer port 22 keep state
pass out on $ext_if from $mycomputer:network to any nat-to ($ext_if)
pass out on $ext_if from $switch:network to any nat-to ($ext_if)
刚开始下载速度还可以,但是不稳定,有时候速度瞬间降低至10KB/s以下。所以给gobsd.org文件加上相应的log规则以备抓包,然后运行tcpdump显示如下:
代码: 全选
# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Mar 26 17:59:06.736735 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 17:59:11.144104 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 17:59:12.400620 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:12.463856 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:17.096911 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:17.240350 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:22.010636 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:22.242051 rule 3/(match) block in on dc0: 91.65.85.223.61003 > 192.168.1.74.50534: udp 119
Mar 26 17:59:22.316241 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:27.034168 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:27.253105 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:32.057448 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:32.320902 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:35.285357 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 17:59:36.456102 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 17:59:37.079763 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:37.286499 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:40.737654 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 17:59:42.102898 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:44.037824 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 17:59:45.805256 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 17:59:47.017722 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:50.725765 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 17:59:52.040265 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 17:59:52.274240 rule 3/(match) block in on dc0: 118.165.100.142.4176 > 192.168.1.74.64229: udp 26
Mar 26 17:59:55.720421 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:00:00.709493 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
.
.
.
.
.
.
Mar 26 18:03:43.887496 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:03:48.280818 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:03:49.561807 rule 3/(match) block in on dc0: 2.38.169.201.7565 > 192.168.1.74.64229: udp 26
Mar 26 18:03:59.463451 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:04:12.541257 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:04:29.102048 rule 3/(match) block in on dc0: 125.71.217.149.24359 > 192.168.1.74.64229: udp 26
Mar 26 18:04:34.102577 rule 3/(match) block in on dc0: 125.71.217.149.24359 > 192.168.1.74.64229: udp 26
Mar 26 18:04:39.101905 rule 3/(match) block in on dc0: 125.71.217.149.24359 > 192.168.1.74.64229: udp 26
Mar 26 18:04:45.663937 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:04:59.100749 rule 3/(match) block in on dc0: 125.71.217.149.24359 > 192.168.1.74.64229: udp 26
Mar 26 18:05:01.194702 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:05:05.367375 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:05:09.805403 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:05:14.193003 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:05:24.098633 rule 3/(match) block in on dc0: 125.71.217.149.24359 > 192.168.1.74.64229: udp 26
Mar 26 18:06:00.092743 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:06:11.168876 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:06:19.993121 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:06:24.359694 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:06:33.134669 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:06:40.109967 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:06:44.519291 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:06:53.107511 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:07:01.971455 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:07:17.490965 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:07:21.803832 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:07:46.733804 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:07:50.864383 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:08:19.132252 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:08:56.772763 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:09:05.613748 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:09:18.814085 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:09:25.579973 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:09:29.998434 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:09:42.873245 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:09:58.427984 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:10:11.814775 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:10:20.409707 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:10:26.583680 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26
Mar 26 18:10:30.822433 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:35.155542 rule 3/(match) block in on dc0: 109.67.193.86.28809 > 192.168.1.74.56258: udp 28
Mar 26 18:10:35.867541 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:40.954866 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:44.865986 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:10:45.823884 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:50.830575 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:55.902825 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:10:57.654059 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:11:00.831683 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:11:03.735879 rule 3/(match) block in on dc0: 119.189.1.21.8000 > 192.168.1.74.53354: udp 55 (DF)
Mar 26 18:11:03.760347 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:11:05.865497 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.62178: udp 26 (DF)
Mar 26 18:11:08.641720 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:11:09.626884 rule 3/(match) block in on dc0: 1.64.176.130.55189 > 192.168.1.74.62571: udp 28
Mar 26 18:11:16.799391 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:12:10.818882 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:12:19.161217 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 40
Mar 26 18:12:43.618040 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:12:45.258620 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26
Mar 26 18:12:45.937951 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:12:47.885680 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 41
Mar 26 18:12:50.847064 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:12:52.288572 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:12:55.847433 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:01.182073 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:05.886894 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:11.001165 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:15.732197 rule 3/(match) block in on dc0: 119.189.1.21.8000 > 192.168.1.74.53354: udp 54 (DF)
Mar 26 18:13:15.847530 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:16.007535 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:13:20.894883 rule 3/(match) block in on dc0: 175.145.46.50.5155 > 192.168.1.74.61939: udp 26 (DF)
Mar 26 18:13:38.132900 rule 3/(match) block in on dc0: 183.37.170.16.6269 > 192.168.1.74.64229: udp 26
Mar 26 18:13:38.262794 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:13:42.967395 rule 3/(match) block in on dc0: 183.37.170.16.6269 > 192.168.1.74.64229: udp 26
Mar 26 18:13:49.221728 rule 3/(match) block in on dc0: 119.189.1.21.8000 > 192.168.1.74.53354: udp 56 (DF)
Mar 26 18:14:07.091854 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 43
Mar 26 18:14:15.602062 rule 3/(match) block in on dc0: 124.165.250.126.45730 > 192.168.1.74.53354: udp 42
Mar 26 18:14:17.357618 rule 3/(match) block in on dc0: 91.65.85.223.61003 > 192.168.1.74.50429: udp 119
Mar 26 18:14:18.517021 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:21.994464 rule 3/(match) block in on dc0: 124.165.250.126.49706 > 192.168.1.74.57790: udp 42
Mar 26 18:14:23.033564 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:28.055921 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:33.079217 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:37.993062 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:43.016395 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:43.839917 rule 3/(match) block in on dc0: 124.165.250.126.49706 > 192.168.1.74.57790: udp 43
Mar 26 18:14:48.039000 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:53.062096 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:14:58.085201 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:15:03.856005 rule 3/(match) block in on dc0: 124.165.250.126.49706 > 192.168.1.74.57790: udp 41
Mar 26 18:15:13.056040 rule 3/(match) block in on dc0: 124.165.250.126.49706 > 192.168.1.74.57790: udp 40
Mar 26 18:15:17.306345 rule 3/(match) block in on dc0: 124.165.250.126.49706 > 192.168.1.74.57790: udp 40
Mar 26 18:16:42.041810 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:16:45.870458 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:16:47.072638 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:16:50.727505 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:16:52.087454 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:16:55.865571 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:16:57.005311 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:17:00.844683 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:17:02.024884 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:17:05.851955 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:17:07.047506 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:17:10.787399 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:17:12.071068 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:17:15.824206 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:17:16.984427 rule 3/(match) block in on dc0: 207.216.161.88.1042 > 192.168.1.74.64229: udp 26
Mar 26 18:17:20.824510 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:17:25.766114 rule 3/(match) block in on dc0: 202.108.18.136.7564 > 192.168.1.74.64229: udp 26
Mar 26 18:18:00.219433 rule 3/(match) block in on dc0: 1.85.192.208.45058 > 192.168.1.74.63584: udp 28
查看了一下迅雷的设定
发现阻止的全是50000以上的udp端口,原来想做对应的端口转换(21500,23801),但发现不行。
最后这样添加了一条规则:
代码: 全选
pass in quick log on $ext_if proto udp from any to any port 50000:65535 \
rdr-to 192.168.81.47
再tcpfump一下,发现原来阻止的包基本上都通过了。
代码: 全选
# tcpdump -n -e -ttt -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
Mar 26 18:49:11.122695 rule 8/(match) pass in on dc0: 125.71.217.149.24359 > 192.168.1.74.51685: udp 26
Mar 26 18:49:41.838780 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.51685: udp 26
Mar 26 18:49:42.663015 rule 8/(match) pass in on dc0: 91.65.85.223.61003 > 192.168.1.74.62033: udp 119
Mar 26 18:50:41.193706 rule 8/(match) pass in on dc0: 125.71.217.149.24359 > 192.168.1.74.51685: udp 26
Mar 26 18:52:00.203363 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.51685: udp 26
Mar 26 18:53:09.299757 rule 8/(match) pass in on dc0: 41.82.76.59.30864 > 192.168.1.74.63450: udp 35
...........
tcpdump: listening on pflog0, link-type PFLOG
Mar 26 18:49:11.122695 rule 8/(match) pass in on dc0: 125.71.217.149.24359 > 192.168.1.74.51685: udp 26
Mar 26 18:49:41.838780 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.51685: udp 26
Mar 26 18:49:42.663015 rule 8/(match) pass in on dc0: 91.65.85.223.61003 > 192.168.1.74.62033: udp 119
Mar 26 18:50:41.193706 rule 8/(match) pass in on dc0: 125.71.217.149.24359 > 192.168.1.74.51685: udp 26
Mar 26 18:52:00.203363 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.51685: udp 26
Mar 26 18:53:09.299757 rule 8/(match) pass in on dc0: 41.82.76.59.30864 > 192.168.1.74.63450: udp 35
Mar 26 18:53:52.713888 rule 8/(match) pass in on dc0: 124.11.209.115.7562 > 192.168.1.74.51685: udp 26
Mar 26 18:55:19.660822 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.51685: udp 26
Mar 26 18:55:27.700245 rule 2/(match) block in on dc0: 183.37.170.16.6259 > 192.168.1.74.58044: R 0:0(0) ack 927491558 win 0
Mar 26 18:57:00.016674 rule 8/(match) pass in on dc0: 219.137.226.52.65315 > 192.168.1.74.51685: udp 26
Mar 26 18:57:08.691835 rule 8/(match) pass in on dc0: 41.82.76.59.30864 > 192.168.1.74.63450: udp 28
Mar 26 18:57:22.979846 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.51685: udp 26
Mar 26 18:59:16.463122 rule 8/(match) pass in on dc0: 124.11.209.115.7562 > 192.168.1.74.51685: udp 26
Mar 26 19:00:36.850430 rule 8/(match) pass in on dc0: 114.41.126.238.8691 > 192.168.1.74.51685: udp 26
Mar 26 19:02:53.001161 rule 8/(match) pass in on dc0: 183.37.170.16.6269 > 192.168.1.74.63716: udp 26
Mar 26 19:03:04.908716 rule 2/(match) block in on dc0: 77.209.136.161.5000 > 192.168.1.74.61839: R 0:0(0) ack 913780808 win 0 [tos 0xa0]
Mar 26 19:04:40.998850 rule 8/(match) pass in on dc0: 91.65.85.223.61003 > 192.168.1.74.60850: udp 119
Mar 26 19:04:42.191545 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.63716: udp 26
Mar 26 19:05:18.717809 rule 8/(match) pass in on dc0: 175.145.46.50.5155 > 192.168.1.74.63716: udp 26
Mar 26 19:06:28.456909 rule 8/(match) pass in on dc0: 118.165.100.142.4176 > 192.168.1.74.63716: udp 26
Mar 26 19:06:32.589352 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.63716: udp 26
Mar 26 19:06:40.576794 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.63716: udp 26
Mar 26 19:06:57.347719 rule 8/(match) pass in on dc0: 218.160.250.217.7564 > 192.168.1.74.63716: udp 26
Mar 26 19:07:00.521555 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.63716: udp 26
Mar 26 19:07:36.719611 rule 8/(match) pass in on dc0: 175.145.46.50.5155 > 192.168.1.74.63716: udp 26
Mar 26 19:07:38.588825 rule 2/(match) block in on dc0: 84.232.43.239.4662 > 192.168.1.74.52197: S 2722773243:2722773243(0) ack 3151438505 win 8192 <mss 1460,nop,nop,sackOK> (DF)
Mar 26 19:07:42.028702 rule 2/(match) block in on dc0: 84.232.43.239.4662 > 192.168.1.74.52197: S 2722773243:2722773243(0) ack 3151438505 win 8192 <mss 1460,nop,nop,sackOK> (DF)
Mar 26 19:07:45.283192 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.63716: udp 26
Mar 26 19:07:47.883761 rule 2/(match) block in on dc0: 84.232.43.239.4662 > 192.168.1.74.52197: S 2722773243:2722773243(0) ack 3151438505 win 8192 <mss 1460,nop,nop,sackOK> (DF)
Mar 26 19:09:03.840692 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.63716: udp 26
Mar 26 19:09:53.320433 rule 8/(match) pass in on dc0: 175.145.46.50.5155 > 192.168.1.74.63716: udp 26
Mar 26 19:10:03.840977 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.63716: udp 26 (DF)
Mar 26 19:10:54.336265 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.63716: udp 26 (DF)
Mar 26 19:11:05.119661 rule 8/(match) pass in on dc0: 118.165.100.142.4176 > 192.168.1.74.63716: udp 26
Mar 26 19:16:54.125418 rule 2/(match) block in on dc0: 77.209.136.161.5000 > 192.168.1.74.56718: R 0:0(0) ack 458638699 win 0 [tos 0xa0]
Mar 26 19:19:30.473366 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.54786: udp 26
Mar 26 19:19:32.399005 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.60983: udp 26
Mar 26 19:19:48.324432 rule 8/(match) pass in on dc0: 91.65.85.223.61003 > 192.168.1.74.62173: udp 119
Mar 26 19:20:20.663133 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.54786: udp 26
Mar 26 19:20:22.959571 rule 8/(match) pass in on dc0: 175.145.46.50.5155 > 192.168.1.74.54786: udp 26
Mar 26 19:21:48.775161 rule 8/(match) pass in on dc0: 207.216.161.88.1042 > 192.168.1.74.54786: udp 26
Mar 26 19:21:56.601663 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.60983: udp 26
Mar 26 19:22:41.288658 rule 8/(match) pass in on dc0: 175.145.46.50.5155 > 192.168.1.74.54786: udp 26
Mar 26 19:23:24.125446 rule 8/(match) pass in on dc0: 202.108.18.136.7564 > 192.168.1.74.54786: udp 26
Mar 26 19:26:23.580814 rule 8/(match) pass in on dc0: 218.10.68.187.17368 > 192.168.1.74.64246: udp 26
Mar 26 19:26:37.321861 rule 8/(match) pass in on dc0: 125.71.217.149.24359 > 192.168.1.74.50331: udp 26
现在的pf规则:
代码: 全选
# cat /etc/gobsd.org
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = "dc0"
mycomputer = "re1"
switch = "re0"
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
pass # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log on $ext_if inet proto { tcp udp icmp} from any to any
pass in quick on $mycomputer inet proto tcp to $mycomputer port 22 keep state
pass out quick on $ext_if from $mycomputer:network to any nat-to ($ext_if)
pass out quick on $ext_if from $switch:network to any nat-to ($ext_if)
# emule rules
#pass in quick log on $ext_if proto udp from any to any port 50000:65535 \
# rdr-to 192.168.81.47 port 23801
#pass in quick log on $ext_if proto udp from any to any port 50000:65535 \
# rdr-to 192.168.81.47 port 21500
pass in quick log on $ext_if proto udp from any to any port 50000:65535 \
rdr-to 192.168.81.47
#
上面的规则理包含了log,请大家在调整好规则后自行删除。
感觉总体上不要限制迅雷的上传速度,让迅雷自己控制否则会影响下载速度。
注意:
以上内容仅为探讨,因为我在机器上很少用迅雷,也对其工作原理不是很清楚,本次仅仅是找一个比较大的文件进行测试,该资源我也并未下载完,所以也不排除偶然性,如果您更好的建议或觉得规则有不对的地方请不吝赐教。此外如果您准备长期使用类似的p2p规则,请勿忘记将应用迅雷的guest OS与其它guest OS隔离。