作者 sw0079 (極限操作) 看板 Linux 標題 [問題] pf.conf設定 時間 Thu Mar 20 13:07:10 2014 ─────────────────────────────────────── 大家好,小弟是Linux/OBSD的新手 最近上課在做的project 因為router是OBSD所以有些檔案名稱path會不一樣 要問的問題是OBSD裡面的/etc/pf.conf的一些rules 老師的要求是: 1. Windows subnet to storage subnet: NO access 2. Windows subnet to web server subnet: RESTRICTED access Only SSL HTTP ports allowed 3. Web server subnet to storage subnet: RESTRICTED access Only iSCSI ports allowed 小弟自己用小畫家畫了一個圖形 http://tinypic.com/view.php?pic=fwqhxz&s=8#.Uyp0NPldUwA OBSD router有1 external interface (em0) 2 internal interfaces (em1 & em2) Windows subnet >> em1 www server >> em2 storage server >> 從主要的router連接到OBSD router 小弟自己弄出來的pf rules是 ext_if = "em0" int_if = "em1" int_if2 = "em2" www_server = "192.168.32.130" web_ports = "{ https, iscsi }" tcp_services = "{ ssh, domain }" udp_services = "{ router, domain }" set skip on lo block in pass in on $int_if from $int_if:network pass in on $int_if2 from $int_if2:network pass in inet proto icmp block from $int_if:network to $int_if2:network pass in on $ext_if inet proto tcp to $ext_if port $tcp_services pass in on $ext_if inet proto udp to $ext_if port $udp_services pass in on $ext_if inet proto tcp to $www_server port $web_ports pass in on $int_if inet proto tcp from $int_if:network to $www_server port https block from $int_if:network to 10.12.0.0/16 pass out 今天老師檢查後說這個configuration很奇怪 因為 pass in on $int_if from $int_if:network pass in on $int_if2 from $int_if2:network 這兩個其實很多餘 還有pass in on $int_if inet proto tcp from $int_if:network to $www_server port https 這個也是很怪異 但是老師測試了一下後說 因為有達到要求所以過了(測試方式用ping還有看我們的網頁是 否只能顯示https) 重點: 如果是各位大大 會怎麼寫呢? 不好意思寫很多 感謝您的指點 -- The truth is always beneath a quiet place. So I prefer to work in a distant place alone. -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 207.6.112.200