Freebsd PF 做策略路由

loulancn

# /etc/pf.conf
# write by loulancn@163.com
set limit states 1000000
set limit frags 100000
set limit src-nodes 100000
set timeout tcp.established 3600
set timeout {tcp.closing 5,tcp.finwait 5,tcp.closed 5,udp.multiple 5,udp.single 5}

table <Lan_A> {192.168.0.0/16}
table <Lan_B> {172.16.0.0/12}
table <Lan_All> {192.168.0.0/16,172.16.0.0/12}

ip_pool_A="1.1.1.1/32"
ip_pool_B="2.2.2.2/32"

Lan_if="em1"
Lan_IP="3.3.3.3"

gw_A_if="xl0"
gw_A="1.1.1.1"

gw_B_if="em0"
gw_B="2.2.2.2"

nat on $gw_A_if from <Lan_All> to any -> $IP_Pool_A source-hash
nat on $gw_B_if from <Lan_All> to any -> $IP_Pool_B source-hash

pass quick on lo0 all

block in quick proto udp from <Lan_All> port 15000 to any

pass in quick on $Lan_if proto { tcp,udp,icmp } from <Lan_All> to $Lan_IP keep state
pass in quick on $Lan_if route-to ($gw_A_if $gw_A) proto { tcp,udp,icmp } from <Lan_A> to any keep state
pass in quick on $Lan_if route-to ($gw_B_if $gw_B) proto { tcp,udp,icmp } from <Lan_B> to any keep state

pass out quick on $gw_B_if keep state
pass out quick on $gw_A_if keep state

pass in quick on $Lan_if proto tcp from <Lan_All> to $ Lan_IP port 22 keep state

block all




http://loulan.lapp.cn/show-131-1.html

loulancn

以前在網(wǎng)上看到的一個是在服務器上做雙線的策略路由的

這個主要是針對雙線用戶通過策略路由NAT上網(wǎng)用的。

關于雙線負載均衡，可以參見我的Blog

http://loulan.lapp.cn/show-119-1.html

llzqq

http://72891.cn/viewthr ... 3Ddigest&page=1