我试图(没有成功)在FreeBSD 8.2下configuration一个ipnat / ipf盒子,这里是这样的情况:
outside inside +----+ ADSL 1.2.3.0/29 -------(re0)- | | -(re2)-- 172.16.16.0/254 DMZ | | HDSL 101.102.103.0/29 -(re1)- | | -(re3)-- 192.168.10.0/254 LAN +----+ 直到现在,我只有ADSL,我能够从局域网导航,并将传入的请求redirect到各种服务到DMZ,
该框的默认网关是1.2.3.4所有分配的IP地址都被别名到相应的接口
这里是我的ipnat.conf
# ------------------------------- # navigation from inside map re0 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp map re0 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 11000:39999 map re0 192.168.10.0/24 -> 1.2.3.4/32 map re0 172.16.16.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp map re0 172.16.16.0/24 -> 1.2.3.4/32 portmap tcp/udp 40000:59999 map re0 172.16.16.0/24 -> 1.2.3.4/32 # some services rdr re0 1.2.3.2/32 port 80 -> 172.16.16.100 port 80 tcp/udp rdr re0 1.2.3.3/32 port 25 -> 172.16.16.200 port 25 tcp/udp rdr re0 1.2.3.3/32 port 110 -> 172.16.16.200 port 110 tcp/udp rdr re0 1.2.3.5/32 port 3389 -> 192.168.10.10 port 3389 tcp/udp # -------------------------------
现在我要configuration这个盒子,以便通过新的HDSL连接访问一些服务,如下所示:
# ------------------------------- # navigation from inside map re0 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp map re0 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 11000:39999 map re0 192.168.10.0/24 -> 1.2.3.4/32 map re0 172.16.16.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp map re0 172.16.16.0/24 -> 1.2.3.4/32 portmap tcp/udp 40000:59999 map re0 172.16.16.0/24 -> 1.2.3.4/32 # some services via ADSL and some via HDSL rdr re0 1.2.3.2/32 port 80 -> 172.16.16.100 port 80 tcp/udp rdr re1 101.102.103.103/32 port 25 -> 172.16.16.200 port 25 tcp/udp rdr re1 101.102.103.103/32 port 110 -> 172.16.16.200 port 110 tcp/udp rdr re0 1.2.3.5/32 port 3389 -> 192.168.10.10 port 3389 tcp/udp # -------------------------------
但我不能设置的东西,因为我会……传入的数据包路由到正确的目的地,但答复去其他地方,我也尝试过与地图和bimaps相同(如果不是最差的;-) …)结果。
对不起,很长的post,很多感谢任何人会帮助!
虽然我不能确切地说你如何用freeBSD做这件事(我从来没有认真对待过),但是我认为你应该花一些时间阅读pf手册页,并注意路由部分,特别是这两部分:
route-to The route-to option routes the packet to the specified interface with an optional address for the next hop. When a route-to rule creates state, only packets that pass in the same direction as the filter rule specifies will be routed in this way. Packets passing in the opposite direction (replies) are not affected and are routed normally.
和
reply-to The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified inter- face. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforce- ment).