是否可以使用一台具有 6 个网卡的 OpenBSD 服务器配置多个防火墙桥。在这种情况下,3个OpenBSD防火墙桥接彼此完全独立?
cat /etc/sysctl.conf
net.inet.ip.ttl=255
net.inet.ip.forwarding=1
net.inet.ip.redirect=0
cat /etc/hostname.bnx0
up
-inet6
cat /etc/hostname.bnx1
up
-inet6
cat /etc/hostname.bnx2
up
-inet6
cat /etc/hostname.bnx3
up
-inet6
cat /etc/hostname.bnx4
up
-inet6
cat /etc/hostname.bnx5
up
-inet6
cat /etc/hostname.bridge0
add bnx0
add bnx1
blocknonip bnx0
blocknonip bnx1
link0
edge bnx0
edge bnx1
spanpriority 0
proto rstp
ptp bnx0
ptp bnx1
up
cat /etc/hostname.bridge1
add bnx2
add bnx3
blocknonip bnx2
blocknonip bnx3
link0
edge bnx2
edge bnx3
spanpriority 0
proto rstp
ptp bnx2
ptp bnx3
up
cat /etc/hostname.bridge2
add bnx4
add bnx5
blocknonip bnx4
blocknonip bnx5
link0
edge bnx4
edge bnx5
spanpriority 0
proto rstp
ptp bnx4
ptp bnx5
up
cat /etc/pf.conf
set block-policy return
set state-policy if-bound
set optimization aggressive
ext_if_1 = "{bnx0}"
int_if_1 = "{bnx1}"
ext_if_2 = "{bnx2}"
int_if_2 = "{bnx3}"
ext_if_3 = "{bnx4}"
int_if_3 = "{bnx5}"
lan_ip_1 = "{12.13.14.254/28}"
lan_ip_2 = "{13.14.15.254/29}"
lan_ip_3 = "{14.15.16.254/24}"
icmp_type = "{ 0, 3, 4, 8 }"
match log (user) on bnx set (tos ef) scrub (max-mss 1460, min-ttl 255, random-id, reassemble tcp, no-df)
block log all
block log quick inet6 all
block return log
block return-rst log inet proto tcp all
block return-rst(ttl 1) inet proto tcp all
block return-rst(ttl 2) inet proto tcp all
block return-rst(ttl 3) inet proto tcp all
block return-rst(ttl 4) inet proto tcp all
block return-rst(ttl 5) inet proto tcp all
block return-rst(ttl 6) inet proto tcp all
block return-rst(ttl 8) inet proto tcp all
block return-rst(ttl 9) inet proto tcp all
block return-rst(ttl 10) inet proto tcp all
block return-rst(ttl 11) inet proto tcp all
block return-rst(ttl 12) inet proto tcp all
block return-rst(ttl 13) inet proto tcp all
block return-rst(ttl 14) inet proto tcp all
block return-rst(ttl 15) inet proto tcp all
block return-rst(ttl 16) inet proto tcp all
block log quick inet6 all
block log quick from any to {192.168/16, 10/8, 172.16/12, 169.254/16, 224/4, 240/4, 0/8, 198.18/15, 192.0.2.0/24, 127/8, 255.255.255.255/32}
block log quick from {192.168/16, 10/8, 172.16/12, 169.254/16, 127/8, 224/4, 240/4, 0/8, 198.18/15, 192.0.2.0/24, 255.255.255.255/32} to any
pass log quick inet proto icmp from any to any icmp-type $icmp_type keep state (max 1000, max-src-nodes 50, source-track rule)
pass in log quick on {$int_if_1, $int_if_2, $int_if_3} inet proto udp from {$lan_ip_1, $lan_ip_2, $lan_ip_3} port >1024 to any port {53, 123} user = unknown keep state (max 10000, max-src-nodes 5000, source-track rule)
pass out log quick on {$ext_if_1, $ext_if_2, $ext_if_3} inet proto udp from {$lan_ip_1, $lan_ip_2, $lan_ip_3} port >1024 to any port {53, 123} user = unknown keep state (max 10000, max-src-nodes 5000, source-track rule)
pass in log quick on $int_if_1 inet proto tcp from $lan_ip_1 port >1024 os "unknown" to any port {22, 25, 53, 80, 443, 587, 1194} user = unknown flags S/SAFRUP modulate state (max 10000, max-src-conn 5000, max-src-nodes 1, source-track > rule) tag mylan_ip_1
pass out log quick on $ext_if_1 inet proto tcp from $lan_ip_1 port > >1024 os "unknown" to any port {22, 25, 53, 80, 443, 587, 1194} user = unknown flags S/SAFRUP modulate state (max 10000, max-src-conn 5000, max-src-nodes 1, source-track rule) tagged mylan_ip_1
pass in log quick on $int_if_2 inet proto tcp from $lan_ip_2 > port >1024 os "unknown" to any port 22 user = unknown flags S/SAFRUP modulate state (max 10, max-src-conn 1, max-src-nodes 1, source-track rule) tag mylan_ip_2
pass out log quick on $ext_if_2 inet proto tcp from $lan_ip_2 port >1024 os "unknown" to any port 22 user = unknown flags S/SAFRUP modulate state (max 10, max-src-conn 1, max-src-nodes 1, source-track rule) tagged mylan_ip_2
pass in log quick on $int_if_3 inet proto tcp from $lan_ip_3 port >1024 os "unknown" to any port 443 user = unknown flags S/SAFRUP modulate state (max 100, max-src-conn 8, max-src-nodes 1, source-track rule) tag mylan_ip_3
pass out log quick on $ext_if_3 inet proto tcp from $lan_ip_3 port >1024 os "unknown" to any port 443 user = unknown flags S/SAFRUP modulate state (max 100, max-src-conn 8, max-src-nodes 1, source-track rule) tagged mylan_ip_3