帮助我升级OpenBSD 4.7的pf.conf

我打算把我的OpenBSD升级到4.7（从4.6开始），你可能也可能不知道，他们改变了pf.conf的语法。

这是升级指南的相关部分：

（4）NAT语法改变

正如在这个邮件列表文章中详细描述的那样，PF的单独的nat / rdr / binat（翻译）规则已被常规匹配/过滤规则的操作所取代。 简单的规则集可以像这样转换：

nat on $ext_if from 10/8 -> ($ext_if) rdr on $ext_if to ($ext_if) -> 1.2.3.4 

变

• 如何让OpenVPN在OpenBSD上使用VIA Padlock？
• 如何在OpenBSD上configuration“Reflexive ACL”？
• OpenBSD pf – 实现相当于iptables DNAT
• 如何减lessOpenBSD上TIME_WAIT连接的超时？
• 大纲鱿鱼服务器 – 用pfredirectstream量

 match out on $ext_if from 10/8 nat-to ($ext_if) match in on $ext_if to ($ext_if) rdr-to 1.2.3.4 

和…

 binat on $ext_if from $web_serv_int to any -> $web_serv_ext 

变

 match on $ext_if from $web_serv_int to any binat-to $web_serv_ext 

例如relayd（8），ftp-proxy（8）和tftp-proxy（8）的nat-anchor和/或rdr-anchor线路不再使用，应该从pf.conf（5）中删除，只留下锚线。 有关这些和垃圾邮件（8）的翻译规则将需要适当调整。

注意：以前，翻译规则“停止了第一个匹配”行为，首先评估binat，然后根据数据包的方向使用nat / rdr。 现在，过滤规则受到通常的“最后一次匹配”行为的影响，因此转换时必须注意规则sorting。

（4）路由到/回复语法改变

pf.conf中的route-to，reply-to，dup-to和fastroute选项移至filteropts;

 pass in on $ext_if route-to (em1 192.168.1.1) from 10.1.1.1 pass in on $ext_if reply-to (em1 192.168.1.1) to 10.1.1.1 

变

 pass in on $ext_if from 10.1.1.1 route-to (em1 192.168.1.1) pass in on $ext_if to 10.1.1.1 reply-to (em1 192.168.1.1) 

现在，这是我目前的pf.conf：

 # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ # # See pf.conf(5) for syntax and examples; this sample ruleset uses # require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="pppoe0" int_if="nfe0" int_net="192.168.0.0/24" polemon="192.168.0.10" poletopw="192.168.0.12" segatop="192.168.0.20" table <leechers> persist set loginterface $ext_if set skip on lo match on $ext_if all scrub (no-df max-mss 1440) altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low} queue q_pri priority 15 queue q_hi priority 10 queue q_std priority 7 priq(default) queue q_low priority 0 nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if) rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80 rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22 rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000 rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600 anchor "ftp-proxy/*" block pass on $int_if queue(q_hi, q_pri) pass out on $ext_if queue(q_std, q_pri) pass out on $ext_if proto icmp queue q_pri pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri) pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri) #pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi) pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std) pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri) pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri) pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri) pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri 

如果有人将4.6 pf.conf移植到4.7，请帮助我做正确的更改。

好的，这是我有多远：

我指出了nat-anchor和rdr-anchor ，正如指南中所描述的那样：

 #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" 

这就是我如何“转换”rdr规则：

 #nat on $ext_if from !($ext_if) -> ($ext_if) match out on $ext_if from !($ext_if) nat-to ($ext_if) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 match in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 #rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80 match in on $ext_if proto tcp tp port 2080 rdr-to $segatop port 80 #rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22 match in on $ext_if proto tcp tp port 2022 rdr-to $segatop port 22 rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000 match in on $ext_if proto tcp tp port 4000 rdr-to $polemon port 4000 rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600 match in on $ext_if proto tcp tp port 6600 rdr-to $polemon port 6600 

我错过了什么？ 是现在的ftp-proxy的锚吗？ 我是否需要在另一个线路中改变某些线路？

 # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ # # See pf.conf(5) for syntax and examples; this sample ruleset uses # require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="pppoe0" int_if="nfe0" int_net="192.168.0.0/24" polemon="192.168.0.10" poletopw="192.168.0.12" segatop="192.168.0.20" table <leechers> persist set loginterface $ext_if set skip on lo match on $ext_if all scrub (no-df max-mss 1440) altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low} queue q_pri priority 15 queue q_hi priority 10 queue q_std priority 7 priq(default) queue q_low priority 0 block match out on $ext_if from !($ext_if) nat-to ($ext_if) pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in on $ext_if proto tcp to port 2080 rdr-to $segatop port 80 pass in on $ext_if proto tcp to port 2022 rdr-to $segatop port 22 pass in on $ext_if proto tcp to port 4000 rdr-to $polemon port 4000 pass in on $ext_if proto tcp to port 6600 rdr-to $polemon port 6600 anchor "ftp-proxy/*" pass on $int_if queue(q_hi, q_pri) pass out on $ext_if queue(q_std, q_pri) pass out on $ext_if proto icmp queue q_pri pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri) pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri) #pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi) pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std) pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri) pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri) pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri) pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri