OpenBSD 3.3 之 pf的 LOAD BLANCING

看板FreeBSD作者cu34.時間21年前 (2003/06/13 13:17)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

嗨: pf 的功能約可分為五部分: (我隨便講的,有錯請指正) 1.NAT 2.Load Blancing 3.Alternate Queueing (ALTQ) 4.Firewall 5.Log 我在某個地方弄到兩條雙向 512k 的 adsl 來玩, 一條是 Hinet,一條是 Seed. 目前大概完成的是 NAT 加 Load Blancing, 我把我的設定公開出來. 目前已知的問題有幾個: 1.PF 不能自動偵測對外線路有沒斷線, 2.雖然是 Load Blancing,不過沒辦法將兩條頻寬"視為"一條　(不過如果用多點序傳軟體也許就可用到兩條線路的頻寬, 　還沒試,不知道...) 上面這兩個問題可能要從 routed 去做, 不過這就超出 pf 的範圍,所以將來再說吧. 接下來我在猶豫是要先做 Firewall 或 ALTQ, 搞 Firewall 還要去偷機器來做被保護的對象, 搞 ALTQ 好像還挺複雜... 如果這個設定檔,前輩們有覺得不夠漂亮的地方, 懇請指點. 唉,都六月中了,照這樣下去,等到全部做完, 要辦 OpenBSD 3.3 PF 試乘會(啊,不是,是體驗會)時,搞不好 3.4 都出來了 >< 你們有人有興趣參加嗎? 喔,對了,第一本 OpenBSD 專書出來囉 : ) http://www.amazon.com/exec/obidos/tg/detail/-/1886411999/002-3001659-5995218 　　　　　　　　　　　　　　　　　ghost 03'06/13 －－－－－－－－－－－－－－－－－－－－－－－－－ pf.conf: # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. #external_addr1 = "211.21.32.58" #external_addr2 = "210.64.89.130" ext_if1 = "xl0" # replace with actual external interface name i.e., dc0 ext_if2 = "fxp0"# replace with actual external interface name i.e., dc0 int_if = "dc0" # replace with actual internal interface name i.e., dc1 internal_net = "192.168.1.0/24" # nat subnet ext_gw1 = "a.b.c.d" # your gateway ip of external interface 1 ext_gw2 = "d.e.f.g" # your gateway ip of external interface 2 (這些要跟著你的硬體與網路做變更,照抄若通會見鬼喔.) # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } table <isp1> {168.95.4.0/24, 168.95.195.16, 168.95.1.1 } # Hinet SMTP,NEWS,DNS table <isp2> {139.175.54.240, 139.175.55.249, 139.175.55.244 } # Seed SMTP,NEWS,DNS (這些隨著你用的 ISP 不同會有不同,如果兩條線路都用同一家 ISP 的,就不需要了.) # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if1 from $internal_net to any -> ($ext_if1) nat on $ext_if2 from $internal_net to any -> ($ext_if2) # rdr outgoing FTP requests to the ftp-proxy rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081 (這一行要配合在 inetd.conf 做對應的設定) # request Service from isp use the Line which provide by that isp pass in on $int_if route-to ($ext_if1 $ext_gw1) round-robin proto tcp from $internal_net to <isp1> flags S/SA modulate state pass in on $int_if route-to ($ext_if2 $ext_gw2) round-robin proto tcp from $internal_net to <isp2> flags S/SA modulate state (這個與 table 那兩行是為了讓你可以用該 ISP 所提供的 ADSL 連線去取得該 ISP 提供的服務) # Filtering: the implicit first two rules are pass in all pass out all pass quick on lo0 all # pass all outgoing packets on internal interface pass out on $int_if from any to $internal_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $internal_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $internal_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $internal_net to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any # ICQ Client with Load Blancing pass in on $int_if proto tcp from $internal_net to any port 5190 flags S/SA modulate state (在平衡負載功能作用時,加上這行設定才能讓 client 正常的連上 ICQ server.) # FTP Client with Load Blancing pass in on $int_if proto tcp from $internal_net to 127.0.0.1 port 8081 flags S/SA keep state (在平衡負載功能作用時,加上這行設定才能讓 client 正常的連上 FTP server.) # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state －－－－－－－－－－－－－－－－－－－－－－－－－－ -- ＊請加入連署抵制使用 RedHat Linux 8.0 後續版本的行動 http://www.slat.org/event/redhat-flag ＊請支持並參與 Freenix 伺服文件撰寫驗證計畫 http://www.freenix-server.info -- 得　即　高　歌　失　即　休任　多　悲　愁　也　悠　悠青　松　影　裡　朦　朧　睡燕　飛　無　樓　月　已　鉤　　　　風起雲湧II－幽靈