- 論壇徽章:
- 0
|
spark8103 發(fā)表于 2012-03-12 09:18 ![]()
king_819能分享下你們bsd的防火墻設(shè)置不��!
分享一個(gè)生產(chǎn)環(huán)境中的pf腳本�,服務(wù)器的作用是作為squid前端緩存,squid開三個(gè)進(jìn)程���,pf進(jìn)行前端轉(zhuǎn)發(fā)
<master>為遠(yuǎn)程管理端
<web> 為后端web源端
<tools> 為備份����、ftp服務(wù)器端
<squidcs> 為squid多進(jìn)程端
注:腳本中的IP是進(jìn)行處理過的���,不是真實(shí)IP- # macros
- #int_if = "em1"
- ext_if = "em0"
- icmp_types = "echoreq"
- table <master> {202.192.14.56/29,222.102.153.92}
- table <ddos> persist
- table <gm> {220.109.120.23,201.141.105.27}
- table <web> {202.192.14.56/29,61.105.19.192/26,202.184.104.145,61.112.204.161,211.143.130.28}
- table <squidcs> {10.0.101.241,10.0.101.242,10.0.101.243}
- table <tools> {61.107.17.1,61.179.66.149}
- # options
- set block-policy return
- set loginterface $ext_if
- set limit states 60000
- # scrub
- scrub in all
- # nat/rdr
- rdr inet proto tcp to 58.201.147.105 port 80 -> <squidcs> port 60006 round-robin sticky-address
- # filter rules
- pass in quick inet from <master>
- block in quick from <ddos>
- block in all
- pass quick on lo0 all
- pass in quick inet proto tcp to lo0 port 60006
- pass in quick inet proto tcp to lo0 port 80
- pass in quick proto tcp to ($ext_if) port 80 flags S/SA synproxy state (max-src-conn 50, max-src-conn-rate 50/5, overload <ddos> flush)
- pass quick inet proto icmp all icmp-type $icmp_types
- pass out to <gm>
- pass out to <web>
- pass out to <tools>
|
|
免費(fèi)注冊(cè)
樓主: king_819
發(fā)表于 2012-03-12 09:18
發(fā)表于 2012-03-12 09:55
