在PF防火墙上打开emule, BT , italkbb端口
发表于 : 2010-01-21 11:25
在PF防火墙上打开emule, BT , italkbb端口
网络设置
rl0连接外网,hostname.rl0文件内容
re0连接内网,hostname.re0的内容
re1连接italkBB,hostname.re1的内容
启用OpenBSD的路由功能,设置/etc/sysctl.conf文件,将下面这行的注释去掉
打开或创建rc.conf.local文件,添加如下两行:
第二行的目的是代理内网ftp客户端
dhcpd.conf
PF规则
说明
UDP和TCP端口7777是emule使用的,emule还要打开UDP的4665端口;
UDP和TCP端口12345是BT使用的;
italkBB的使用端口是{5060,6802,16384:16482}
这里禁止italkbb网段与内网通信。
@gobsd.org
网络设置
rl0连接外网,hostname.rl0文件内容
代码: 全选
dhcp NONE NONE NONE
代码: 全选
inet 192.168.1.1 255.255.255.0 NONE
代码: 全选
inet 192.168.2.1 255.255.255.0 NONE
代码: 全选
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
代码: 全选
dhcpd_flags="re1,re0"
ftpproxy_flags=""
dhcpd.conf
代码: 全选
# $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
option domain-name "my.domain";
option domain-name-servers 68.94.156.1, 68.94.157.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.34 192.168.1.127;
host static-client {
hardware ethernet 22:33:44:55:66:77;
fixed-address 192.168.1.200;
}
host pxe-client {
hardware ethernet 02:03:04:05:06:07;
filename "pxeboot";
next-server 192.168.1.1;
}
}
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
range 192.168.2.32 192.168.2.127;
host static-client {
hardware ethernet 22:33:44:55:66:77;
fixed-address 192.168.2.200;
}
host pxe-client {
hardware ethernet 02:03:04:05:06:07;
filename "pxeboot";
next-server 192.168.2.1;
}
}
PF规则
代码: 全选
#macros
ext_if="rl0"
int_if="re0"
italkbb="re1"
emule_port="{7777,12345}"
italkbb_ports="{5060,6802,16384:16482}"
wrouter="192.168.1.34"
italkbbphone="192.168.2.32"
table <bruteforce> persist
#option
set block-policy drop
set loginterface $ext_if
set skip on lo
#scrub
scrub in
#nat/rdr
nat on $ext_if from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr pass on egress proto {tcp,udp} to port $emule_port -> $wrouter
rdr pass on egress proto udp to port 4665 -> $wrouter
rdr pass on egress proto {tcp,udp} to port $italkbb_ports -> $italkbbphone
nat on egress from $wrouter to any -> (egress)
nat on egress from $italkbbphone to any -> (egress)
#filter
block in
block quick from $italkbb:network to $int_if:network
block quick from $int_if:network to $italkbb:network
pass out quick keep state
block quick from <bruteforce>
anchor "ftp-proxy/*"
antispoof quick for {lo $int_if $italkbb}
pass quick proto {tcp,udp} from any to any port ssh \
keep state (max-src-conn 100,max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass in quick on $ext_if proto {tcp,udp} to ($ext_if) port $emule_port
pass in quick on $ext_if proto udp to ($ext_if) port 4665
pass in quick on $ext_if proto {tcp,udp} to ($ext_if) port $italkbb_ports
pass in quick on $int_if
pass in quick on $italkbb
UDP和TCP端口7777是emule使用的,emule还要打开UDP的4665端口;
UDP和TCP端口12345是BT使用的;
italkBB的使用端口是{5060,6802,16384:16482}
这里禁止italkbb网段与内网通信。
@gobsd.org