freebsd下pf防火墙的anchor相关问题[已解决]

freebsd下pf防火墙的anchor相关问题[已解决]

congli

已测试成功,原来nat-anchor, rdr-anchor 用法跟普通anchor一样, 只是用的位置有限制,跟我当初的想法一样,就是试不出来, 可是今天一试,竟然全都OK了

大致把试验过程记录一下,看过PF的网友应该一眼就看明白了

回到第一贴对比了一下之前写的规则

echo "pass in on xl0 inet proto tcp from any to 192.168.0.23 "|pfctl -a "myanchor/new_rules" -f

不同之处在于 myanchor/new_rules ==>> myanchor:new_rules 将 / 号换成 :号就可以了

以rdr-anchor为例简单备注

设置一个 rdr-anchor relayd/*

[Copy to clipboard]

[ - ]

CODE:添加规则

sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'

[Copy to clipboard]

[ - ]

CODE:显示所有的anchor

$ sudo pfctl -sA

goodguys

myanchor

nat_anchor

relayd

relayd:web <<--------- 新增加的web端口转发

查看刚才添加的   relayd:web 规则

[Copy to clipboard]

[ - ]

CODE:$ sudo pfctl -a "relayd:web" -sn

rdr on xl0 inet proto tcp from any to any port = -> 192.168.0.115 port 8080

[Copy to clipboard]

[ - ]

CODE:执行清除 relayd:web 规则的操作

[bsd@bsd ] $ sudo pfctl -a "relayd:web" -F nat

nat cleared <<--- 已提示清除成功

查找是否清除

[bsd@bsd ] $ sudo pfctl -sA

goodguys

myanchor

nat_anchor

relayd

=================================================

设置 nat-anchor nat_anchor/*

[Copy to clipboard]

[ - ]

CODE:sudo sh -c 'echo "nat on xl0 from 192.168.0.23   to any -> xl0 "|pfctl -a nat_anchor:tt -f -'

[Copy to clipboard]

[ - ]

CODE:sudo pfctl -sA

goodguys

myanchor

nat_anchor

nat_anchor:tt

relayd

[Copy to clipboard]

[ - ]

CODE:$ sudo pfctl -a "nat_anchor:tt" -sn

nat on xl0 inet from 192.168.0.23 to any -> { 192.168.1.222, 192.168.1.112, 192.168.1.113, 192.168.1.114, 192.168.1.115 } round-robin

[Copy to clipboard]

[ - ]

CODE:[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -F n

nat cleared

[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -sn

pfctl: DIOCGETRULES: Invalid argument

[bsd@bsd ~] $ sudo pfctl -sA

goodguys

myanchor

nat_anchor

relayd

===============================================

设置 anchor   myanchor

[Copy to clipboard]

[ - ]

CODE:$ sudo sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'

[code]

[code]

$ sudo pfctl -sA

goodguys

myanchor

myanchor:tt

nat_anchor

relayd

[Copy to clipboard]

[ - ]

CODE:$ sudo pfctl -a "myanchor:tt" -sr

pass in quick on xl0 all flags S/SA keep state

===========================

/ 跟 : 的用法应该有点不一样.

在使用authpf时候,要查看某个用户载入规则,就得用下面形式:

# pfctl -a "authpf/hsw(19490)" -s r

# pfctl -sA

authpf

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。