我计划将我的 OpenBSD 升级到 4.7(从 4.6 开始),您可能知道也可能不知道,他们更改了 pf.conf 的语法。
这是来自升级指南:
pf(4) NAT 语法更改
正如此邮件列表帖子中更详细地描述的,PF 的单独 nat/rdr/binat(转换)规则已被常规匹配/过滤规则上的操作所取代。简单的规则集可以像这样转换:
nat on $ext_if from 10/8 -> ($ext_if) rdr on $ext_if to ($ext_if) -> 1.2.3.4变成
match out on $ext_if from 10/8 nat-to ($ext_if) match in on $ext_if to ($ext_if) rdr-to 1.2.3.4和...
binat on $ext_if from $web_serv_int to any -> $web_serv_ext变成
match on $ext_if from $web_serv_int to any binat-to $web_serv_extnat-anchor 和/或 rdr-anchor 行(例如用于 replyd(8)、ftp-proxy(8) 和 tftp-proxy(8))不再使用,应从 pf.conf(5) 中删除,仅保留锚行。与这些和 spamd(8) 相关的翻译规则需要进行适当调整。
注意:以前,转换规则具有“首次匹配时停止”的行为,首先评估 binat,然后根据数据包的方向评估 nat/rdr。现在,过滤规则受制于通常的“最后一次匹配”行为,因此在转换时必须小心规则排序。
pf(4) route-to/reply-to 语法更改
pf.conf 中的 route-to、reply-to、dup-to 和 fastroute 选项移至 filteropts;
pass in on $ext_if route-to (em1 192.168.1.1) from 10.1.1.1 pass in on $ext_if reply-to (em1 192.168.1.1) to 10.1.1.1变成
pass in on $ext_if from 10.1.1.1 route-to (em1 192.168.1.1) pass in on $ext_if to 10.1.1.1 reply-to (em1 192.168.1.1)
现在,这是我的当前 pf.conf:
# $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"
polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"
table <leechers> persist
set loginterface $ext_if
set skip on lo
match on $ext_if all scrub (no-df max-mss 1440)
altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22
rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600
anchor "ftp-proxy/*"
block
pass on $int_if queue(q_hi, q_pri)
pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)
pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)
pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri
如果有人有将 4.6 pf.conf 移植到 4.7 的经验,请帮助我做正确的更改。
好的,这就是我所取得的进展:
我注释掉了nat-anchor和rdr-anchor,如指南中所述:
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
这就是我“转换” rdr 规则的方式:
#nat on $ext_if from !($ext_if) -> ($ext_if)
match out on $ext_if from !($ext_if) nat-to ($ext_if)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
match in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
match in on $ext_if proto tcp tp port 2080 rdr-to $segatop port 80
#rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22
match in on $ext_if proto tcp tp port 2022 rdr-to $segatop port 22
rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
match in on $ext_if proto tcp tp port 4000 rdr-to $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600
match in on $ext_if proto tcp tp port 6600 rdr-to $polemon port 6600
我遗漏了什么吗?ftp-proxy 的锚点现在这样正常吗?我需要更改其他行吗pass in on...?
答案1
似乎没有人能够或愿意帮助我... :(
但我设法自己让它工作了。这是工作情况pf.conf(适用于 OpenBSD 4.8)
# $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"
polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"
table <leechers> persist
set loginterface $ext_if
set skip on lo
match on $ext_if all scrub (no-df max-mss 1440)
altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0
block
match out on $ext_if from !($ext_if) nat-to ($ext_if)
pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in on $ext_if proto tcp to port 2080 rdr-to $segatop port 80
pass in on $ext_if proto tcp to port 2022 rdr-to $segatop port 22
pass in on $ext_if proto tcp to port 4000 rdr-to $polemon port 4000
pass in on $ext_if proto tcp to port 6600 rdr-to $polemon port 6600
anchor "ftp-proxy/*"
pass on $int_if queue(q_hi, q_pri)
pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)
pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)
pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri
我已经用了它六个多月了。由于没有人发布答案,而且现在基本上可以正常工作,所以我决定发布自己的解决方案。鉴于此帖子的浏览量超过 1000 次,这可能会对某些人有所帮助...