服务器评测
在FreeBSD7.1之前,要实现跟linux下的iproute2那样的功能:从哪来的数据还从哪返回,可以用PF来实现,具体方法如下:
1:rc.conf里面
设置两个ip,一个默认路由(注意此处的默认路由仅仅相对于该机器对外访问时的路由选择)
2:pf.conf
tel_if = “em0” #
cnc_if = “em1” #
loop_if = “lo0”
gw_tel = “121.33.xx.xx”
gw_cnc = “210.21.yy.yy”
set optimization aggressive
#set timeout { interval 10, frag 30 }
set timeout { tcp.first 30, tcp.opening 5, tcp.established 1800 }
#set timeout { tcp.closing 60, tcp.finwait 30, tcp.closed 30 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
scrub in all
# Block IP on the $ext_if
block in quick on {$tel_if, $cnc_if} from <block_ip_always> to any
block all
pass quick on $loop_if all
#############################
# $tel_if
#############################
block in quick on $tel_if proto tcp all flags SF/SFRA
block in quick on $tel_if proto tcp all flags SFUP/SFRAU
block in quick on $tel_if proto tcp all flags FPU/SFRAUP
block in quick on $tel_if proto tcp all flags /SFRA
block in quick on $tel_if proto tcp all flags F/SFRA
block in quick on $tel_if proto tcp all flags U/SFRAU
# SSH,HTTP,SMTP,POP3,FTP
pass in quick on $tel_if proto tcp from $tel_if:network to any port {22,80,443,25,110,143} keep state
pass in quick on $tel_if proto tcp from $tel_if:network to any port {21,49152:65535} keep state
# Other
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $tel_if reply-to ($tel_if $gw_tel) proto icmp from any to any icmp-type 8 code 0 keep state
pass out quick on $tel_if all keep state
############################
# $cnc_if
############################
block in quick on $cnc_if proto tcp all flags SF/SFRA
block in quick on $cnc_if proto tcp all flags SFUP/SFRAU
block in quick on $cnc_if proto tcp all flags FPU/SFRAUP
block in quick on $cnc_if proto tcp all flags /SFRA
block in quick on $cnc_if proto tcp all flags F/SFRA
block in quick on $cnc_if proto tcp all flags U/SFRAU
# Other
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {22,25,110,143,80,443} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto tcp from any to any port {21,49152:65535} keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto {tcp,udp} from any to any port 53 keep state
pass in quick on $cnc_if reply-to ($cnc_if $gw_cnc) proto icmp from any to any icmp-type 8 code 0 keep state
pass out quick on $cnc_if all keep state
