我在端口8080上运行nginx,现在我想让它可以从互联网上访问,为此,我在路由器上打开一个端口,然后给我的PF添加一些规则,但从wireshark中嗅探,我看到端口不可访问:
2013-01-16 19:15:57.376545 IP 192.168.1.2.34891 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 1885349577, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383901 ecr 0], length 0 2013-01-16 19:15:57.378853 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.34891: Flags [FR.], seq 0, ack 1885349578, win 0, length 0 2013-01-16 19:15:57.378910 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36 2013-01-16 19:15:57.379250 IP 192.168.1.2.53838 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 2116090664, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383904 ecr 0], length 0 2013-01-16 19:15:57.380858 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.53838: Flags [FR.], seq 0, ack 2116090665, win 0, length 0 2013-01-16 19:15:57.380912 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36 XXX.XXX.XXX.XXX是我的外部IP,在这里是我的PF文件:
ext_if = "XXX" tcp_services = "{80, 443, 22, 53, 8080}" udp_services = "{53}" int_ip = "{XX.XX.XX.XX}" int_services = "{3306 ,8080}" icmp_types = "{echoreq}" icmp_dang = "{13, 14, 17, 18}" #***************************************************** Options ***************************************************** set block-policy drop set loginterface $ext_if set skip on lo0 #set timeout 70000 #scrub in all on $ext_if all no-df min-ttl 50 fragment reassemble scrub out on $ext_if random-id #***************************************************** NAT ***************************************************** nat on egress from (self) to any -> ($ext_if) rdr on $ext_if proto {udp, tcp} from any to 192.168.1.2 port 8080 -> 192.168.1.2 port 8080 #***************************************************** Rules ***************************************************** antispoof for $ext_if # block in&out traffic block drop in log(all) on $ext_if all block drop out log(all ,user) on $ext_if all # Allow ping and MTU path discovery pass in on $ext_if inet proto icmp all icmp-type $icmp_types pass out on $ext_if inet proto icmp all icmp-type $icmp_types pass inet proto icmp all icmp-type unreach code needfrag # pass out tcp&udp traffic for some ports pass out on $ext_if inet proto tcp from any to any port \ $tcp_services keep state pass out on $ext_if inet proto udp from any to any port \ $udp_services keep state pass out on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \ to $int_ip port $int_services keep state # pass in tcp&udp traffic for some ports pass in on $ext_if inet proto tcp from any port $tcp_services \ to any keep state pass in on $ext_if inet proto udp from any port $udp_services \ to any keep state pass in on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \ to $int_ip port $int_services keep state # pass IGMP traffic pass in on $ext_if proto igmp all allow-opts # Allow some ICMP types to get in pass in inet proto icmp all icmp-type $icmp_types
我认为问题是你在redirect之前指定目的地。
如果我没有错,你正在使用较旧的语法(比4.7版早),但是这里是你如何使用实际的语法。
pass in on $ext_if proto tcp from any to $ext_if port 8080 rdr-to 192.168.1.2 port 8080
我很确定这可以像这样使用;
rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2 port 8080
另外,除非这是一个非常旧的安装,否则keep state选项不是必需的,因为这是PF保持连接状态的默认行为。