我以前没用过任何类UNIX系统,但由于我公司防火墙烧毁,不得不花个星期研究一下OPENBSD 和PF,参考了大量的文挡和各人的高论,搞了个防火墙来用,但一直没通,这里恳请各位前辈高人帮忙看一下是那里的问题谢谢了

主机配置: 1个XEON 2.66, 1GB ECC,36GB SCSI,2个INTEL 8255网卡,一个INTEL PRO 1000M网卡,一个BROADCOM BCM5703X网卡,

软件:只安装基本包, OPENBSD +PF+SQUID_transparent_snmp_STABLE9

说明：em0接内网 ip=192.168.1.254 bg0接交换区ip=10.44.44.44 fxp0接ADSL ip=192.168.2.254

Fxp1接CABLE ip=192.168.3.1 下列其中有xx.xx.xx的是为了保密把真实的去掉。

一、:#PF.CONF 文件

#macros
ext_if="bge0"
int_if="em0"
cable_if="fxp1"
adsl_if="fxp0"

int_gw="10.44.44.254

ext_gw="10.44.44.1"
cable_gw="192.168.2.1"
adsl_gw="192.168.3.1"

cn007="192.168.1.88"
cn_vpn="192.168.1.28"
lea1="192.168.1.81"
lea2="192.168.1.82"
lea3="192.168.1.83"
table <leader_net> {$lea1,$lea2,$lea3}

int_proxy="210.xx.xx.xx"
kbgser1="10.88.88.5"
kbgser2="10.88.88.20"
table <kbgserver_net> {$kbgser1,$kbgser2}
table <cn_net> {10.0.0.0/8,!$kbgser1,!$kbgser2}

ser1="220.xx.xx.xx"
ser2="220.xx.xx.xx"
table <server_net> {$ser1,$ser2 }

table <any_net> {! 10.0.0.0/8,!$kbgser1,!$kbgser2,!$ser1,!$ser2 }

table <trust_net> {$cn_007,$cn_vpn}

table <int_net> {192.168.1.0/24}

serv_port="{134,135,136,137,138,139,140,445,593,333,5554,9995,9996,554,1434,4444}"
icmp_types="echorep"


# scrub incoming packets
scrub in all


#nat
nat on $ext_if from $int_if:network to <cn_net> -> ($ext_if)
nat on $ext_if from $int_if:network to <server_net> -> ($ext_if)
nat on $dzw_if from $int_if:network to <kgbserver_net> -> ($cable_if)
nat on $ext_if from $int_if:network to <any_net> -> ($ext_if)
nat on $adsl_if from $int_if:network to <any_net> -> ($adsl_if)

#rdr
rdr on $int_if inet proto tcp from <int_net> to any port 80 -> $int_if port 3128
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# setup a default deny policy
block in all
block out all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet


# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.1.88 use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! $cn_007 to $int_if port ssh flags S/SA

#worm
block drop in quick on $ext_if proto { tcp, udp } from any to any port $serv_port
block drop in quick on $dzw_if proto { tcp, udp } from any to any port $serv_port
block drop in quick on $adsl_if proto { tcp, udp } from any to any port $serv_port
block drop in quick on $int_if proto { tcp, udp } from any to any port $serv_port


# pass all traffic to and from the local network
pass in quick on $int_if from <int_net> to $int_if
pass in quick on $int_if from <int_net> to $ext_if
pass in quick on $int_if from <int_net> to $cable_if
pass in quick on $int_if from <int_net> to $adsl_if
pass in quick on $int_if from <int_net> to <server_net>

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from <int_net> to <kbgserver_net> keep state
pass in on $int_if from <int_net> to <cn_net> keep state
pass in on $int_if from <trust_net> to <any_net> keep state
pass in on $int_if from <leader_net> to <any_net> keep state
pass out on $int_if from any to <int_net> keep state


# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if $ext_gw), ($adsl_if $adsl_gw) } round-robin proto tcp from <int_net> to <any_net> flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if $ext_gw), ($adsl_if $adsl_gw) } round-robin proto { udp, icmp } from <int_net> to <any_net> keep state


# general "pass out" rules for external interfaces
pass out on $ext_if proto tcp from any to any flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } from any to any keep state
pass in on $ext_if proto { tcp, udp} from any to $ext_if flags S/SA keep state
pass out on $adsl_if proto tcp from any to any flags S/SA modulate state
pass out on $adsl_if proto { udp, icmp } from any to any keep state
pass in on $adsl_if proto { tcp, udp} from any to $adsl_if flags S/SA keep state

# route packets from any IPs on $ext_if to $ext_gw and the same for
# $adsl_if and $adsl_gw
pass out on $ext_if route-to ($adsl_if $adsl_gw) from $adsl_if to <any_net>
pass out on $adsl_if route-to ($ext_if $ext_gw) from $ext_if to <any_net>
# general "pass out" rules for cable interfaces
pass out on $cable_if proto tcp from any to any flags S/SA modulate state
pass out on $cable_if proto { udp, icmp } from any to any keep state
pass in on $cable_if proto {tcp,udp} from any to $cable_if flags S/SA keep state

# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to { !$ext_if, !$int_if ,!$adsl_if,!$cable_if} port ssh flags S/SA synproxy state







二、sysctl.conf 文件

只打开其中 net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

其他的默认



三、rc.conf 文件

只修改其中 pf=YES # Packet filter / NAT

其他默认　　　　　　

四、rc.local 文件



### $OpenBSD: rc.local,v 1.36 2004/07/06 04:03:41 henning Exp $



# site-specific startup actions, daemons, and other things which

# can be done AFTER your system goes into securemode. For actions

# which should be done BEFORE your system has gone into securemode

# please see /etc/rc.securelevel



# site-specific startup actions, daemons which can be run

# Add your local changes additions to this file



echo -n 'starting local daemons:'



if [ -x /usr/local/sbin/cfsd ]; then

if ps auxc | grep -q '^ *root .* mountd$'; then

echo -n ' cfsd'; /usr/local/sbin/cfsd >/dev/null 2>&1

mount -o port=3049,nfsv2,intr localhost:/null /crypt

else

echo -n ' cfsd (failed, no mountd running)'

fi

fi



#

if [ -x /usr/local/sbin/squid ]; then

echo -n 'squid'; /usr/local/sbin/squid

fi





route add -host 10.88.88.5 -netmask 255.255.255.255 192.168.3.1

route add -host 10.88.88.20 -netmask 255.255.255.255 192.168.3.1

route add -host 210.xx.xx.xx -netmask 255.255.255.255 10.44.44.254 ####内网代理服###务

route add -net 10.0.0.0 -netmask 255.0.0.0 10.44.44.254

route add -net 220.xx.xx.0 -netmask 255.255.255.0 10.44.44.1

route add ?net 0.0.0.0 ?netmask 0.0.0.0 10.44.44.1
#####(这两行我不知道是否要不要加)####
route add ?net 0.0.0.0 ?netmask .0.0.0.0 192.168.2.1
#####(这两行我不知道是否要不要加)####




#if [ -x /usr/local/sbin/snmpd ]; then

# echo -n ' snmpd'; /usr/local/sbin/snmpd

#fi



echo '.'



# Netatalk stuff

#if [ -f /etc/netatalk/rc.atalk ]; then

# . /etc/netatalk/rc.atalk

#fi





五、squid.conf 文件



http_port 192.168.1.254:3128

icp_port 0



cache_peer 210.xx.xx.xx parent 3128 3130

udp_incoming_address 0.0.0.0

udp_outgoing_address 255.255.255.255



hierarchy_stoplist cgi-bin ?



acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY



cache_mem 256 MB



cache_swap_low 90

cache_swap_high 95



maximum_object_size 8192 KB



maximum_object_size_in_memory 16 KB



cache_effective_user nobody

cache_effective_group nobody





cache_dir ufs /usr/local/squid/cache 1024 15 256

cache_access_log /dev/null

cache_log /dev/null

cache_store_log /dev/null

error_directory /etc/squid/errors/Simplify_Chinese

icon_directory /etc/squid/icons

mime_table /etc/squid/mime.conf

coredump_dir /usr/local/squid/squid/cache

pid_filename /usr/local/squid/logs/squid.pid

hosts_file /etc/hosts

unlinkd_program /usr/local/squid/libexec/unlinkd



dns_nameservers 10.xx.xx..xx 220.xx..xx..xx 220.xx.xx.xx

visible_hostname bsdrouter.xxxx.com.cn



ipcache_size 1024

ipcache_low 90

ipcache_high 95

fqdncache_size 1024



cache_replacement_policy lru

memory_replacement_policy lru



emulate_httpd_log off

log_ip_on_direct on

log_mime_hdrs off

dns_timeout 2 minutes

request_header_max_size 10 KB

request_body_max_size 0 KB



refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320



negative_ttl 5 minutes

positive_dns_ttl 6 hours

negative_dns_ttl 1 minute

connect_timeout 1 minute

read_timeout 15 minutes

request_timeout 5 minutes

client_lifetime 1 day

half_closed_clients on

maximum_single_addr_tries 1

uri_whitespace strip

ie_refresh off





acl no_lan src 192.168.1.1-192.168.1.20/255.255.255.255

acl our_lan src 192.168.1.20-192.168.1.100/255.255.255.255

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT





# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

#

http_access deny to_localhost

http_access deny no_lan

http_access allow our_lan

http_access deny all

http_reply_access allow all

icp_access allow all

hierarchy_stoplist cgi-bin ?



httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on





########## Misc control ###########

ftp_user Squid@

ftp_list_width 32

ftp_passive on

ftp_sanitycheck on　　　　　　

以上的规则是否合理,各位高人能否帮忙找出错误地方,优化一下,谢谢了
感觉使用PF后.用SSH连上去速度很慢.还有这样配置是否存在安全漏洞.恳请各高人前辈指出,拜谢,如果是和我本地,请吃饭哦

顺便说一下,VI编辑器用起来真的好不方便　　　　　　

今天先看看你的PF配置, 明天再说说我的理解!　　　　　　

能不能画一画你的网络结构图啊?　　　　　　

看附件　　　　　　

网络拓扑图请看附件，谢谢回复

呵呵 图中笔误，prarent squid 应为parent squid　　　　　　

偶觉得你的网络结构这样的话应该改为这样, 你可以在你的结构图上画一画数据包的走向图, bge0线路的数据包好混乱.

下图是我设想的结构图　　　　　　

谢谢，问题已解决，呵呵，BSD还真好用~感觉让我又回到大学时代　　　　　　

是啊, BSD比较清楚明了!  有人说BSD适合作学术研究的, 我使用了很长时间BSD觉得它条理很清楚!