############################
#/etc/pf.conf #
############################
ext_if=\"fxp0\"
int_if=\"rl0\"
web_server=\"192.168.0.1\"
pcanywhere_port=\"5631\"
sql=\"1433\"
#table <spamd> persist
#table <spamd-white> persist
scrub in
rdr pass on $ext_if proto tcp from any to port www -> $web_server port www
rdr pass on $ext_if proto tcp from any to port $pcanywhere_port -> \\
$web_server port $pcanywhere_port
rdr pass on $ext_if proto tcp from any to port $sql -> $web_server port $sql
rdr pass on $ext_if proto tcp from any to port 21 -> $web_server port 21
rdr pass on $ext_if proto udp from any to port 53 -> $web_server port 53
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block return
pass quick on { lo $int_if }
antispoof quick for { lo $int_if }
pass in log on $ext_if inet proto tcp to $ext_if port ssh flags S/SA keep state
pass in log on $ext_if inet proto tcp to $web_server port 21 flags S/SA
synproxy state
pass in log on $ext_if inet proto tcp to $web_server port $sql flags S/SA
synproxy state
pass in log on $ext_if inet proto tcp to $web_server port 1434 flags S/SA
synproxy state
pass in on $ext_if inet proto tcp to $web_server port { www, $pcanywhere_port}
\\
flags S/SA synproxy state
pass in on $ext_if inet proto { tcp, udp } to $web_server port 53 flags S/SA \\
keep state
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
############################
#/etc/hostname.fxp0 #
############################
inet XXX.XXX.XX.245 255.255.255.192 NONE
############################
#/etc/hostname.rl0 #
############################
inet 192.168.0.254 255.255.255.0 NONE
############################
#/etc/mygate #
############################
XXX.XX.X.193
############################
#show nat #
############################
haocb# pfctl -v -sn
nat on fxp0 from ! (fxp0) to any -> (fxp0:0)
[ Evaluations: 1232 Packets: 0 Bytes: 0 States: 0 ]
rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1 port
80
[ Evaluations: 1575 Packets: 1897 Bytes: 1425567 States: 29 ]
rdr pass on fxp0 inet proto tcp from any to any port = 5631 -> 192.168.0.1 port
5631
[ Evaluations: 80 Packets: 0 Bytes: 0 States: 0 ]
rdr pass on fxp0 inet proto tcp from any to any port = 1433 -> 192.168.0.1 port
1433
[ Evaluations: 80 Packets: 742 Bytes: 56328 States: 47 ]
rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1 port
21
[ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ]
rdr pass on fxp0 inet proto udp from any to any port = domain -> 192.168.0.1
port 53
[ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ]
############################
#show rules #
############################
haocb# pfctl -v -sn
scrub in all fragment reassemble
[ Evaluations: 12151 Packets: 6124 Bytes: 0 States: 0 ]
block return all
[ Evaluations: 2933 Packets: 14 Bytes: 688 States: 0 ]
pass quick on lo all
[ Evaluations: 2933 Packets: 0 Bytes: 0 States: 0 ]
pass quick on rl0 all
[ Evaluations: 2933 Packets: 2919 Bytes: 1503906 States: 0 ]
block drop in quick on ! lo inet from 127.0.0.0/8 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on ! lo inet6 from ::1 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick inet from 127.0.0.1 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick inet6 from ::1 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on lo0 inet6 from fe80::1 to any
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on ! rl0 inet from 192.168.0.0/24 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick inet from 192.168.0.254 to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
block drop in quick on rl0 inet6 from fe80::211:d8ff:fe79:d52b to any
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags
S/SA keep state
[ Evaluations: 43 Packets: 93 Bytes: 14185 States: 1 ]
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags
S/SA synproxy state
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = 1433 flags
S/SA synproxy state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA
synproxy state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = 5631 flags S/SA
synproxy state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = domain flags S/SA
keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on fxp0 inet proto udp from any to 192.168.0.1 port = domain keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out on fxp0 proto tcp all modulate state
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
pass out on fxp0 proto udp all keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out on fxp0 proto icmp all keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
web server works fine(www,ftp and pcanywhere control),but i can\'t find any
transport from
pf state!!!!!!
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA
synproxy state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
~~~~~~\\
why???
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags
S/SA synproxy state
[ Evaluations: 14 Packets: 0 Bytes: 0 States: 0 ]
~~~~~~\\
why???
pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags
S/SA keep state
[ Evaluations: 43 Packets: 93 Bytes: 14185 States: 1 ]
~~~~~~\\
it\'s ok
and nat state is right!
rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1 port
80
[ Evaluations: 1575 Packets: 1897 Bytes: 1425567 States: 29 ]
rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1 port
21
[ Evaluations: 33 Packets: 12 Bytes: 592 States: 1 ]
anyone can tell me this?i will thank you very much!
yours jking
----
iGENUS is a free webmail interface, NO fee, download
---------------------------------------------------------
please visit http://www.qmail.org
