- 論壇徽章:
- 0
|
<原創(chuàng)>用PF限制部分機(jī)器上網(wǎng)完美方案公司上網(wǎng)方式通過(guò)FreeBSD6.1+PF,最近公司領(lǐng)導(dǎo)要求只允許部分機(jī)器上網(wǎng),一直沒(méi)有在網(wǎng)上找到有關(guān)用PF來(lái)限制部分機(jī)器上網(wǎng)的資料,現(xiàn)在寫個(gè)草稿歡迎各位老大,各們前輩,指點(diǎn)修改有問(wèn)題的地方;
(實(shí)現(xiàn)功能:現(xiàn)在要求IP為10.0.0.1,10.0.0.6,10.0.0.8,10.0.016,10.0.0.20 這五個(gè)IP能上網(wǎng),其它全部不
能上)
int_if = "fxp0" ###內(nèi)網(wǎng)
ext_if = "rl0" ##外網(wǎng)
icmp_types = "echoreq"
router_ip = "{10.0.0.1,10.0.0.6, 10.0.0.8, 10.0.0.16, 10.0.0.20} ###定義能上網(wǎng)的IP
set block-policy return
set loginterface $ext_if ###記錄日志
scrub in all ###流量整修
nat on $ext_if from $router_ip to any -> ($ext_if) ###讓router_ip地址上網(wǎng)
block all ###禁止所有數(shù)據(jù)包
pass quick on lo0 all ###允許虛擬網(wǎng)絡(luò)接口
pass quick on tun0 all ###adsl用戶這個(gè)可千萬(wàn)別忘記了!要不然上不了網(wǎng)!呵呵
pass in on $int_if from $router_ip to any keep state ###允許內(nèi)網(wǎng)互訪
pass out on $int_if from any to $router_ip keep state
pass out on $ext_if proto tcp all modulate state flags S/SA ###允許數(shù)據(jù)包通過(guò)防火墻
pass out on $ext_if proto { tcp, udp } all keep state
以上經(jīng)過(guò)一個(gè)上午反復(fù)調(diào)試,實(shí)驗(yàn)終于成功!呵呵,第一時(shí)間分離與CU的兄弟們!!!!! :em11:
[ 本帖最后由 qdmacat 于 2007-1-7 16:01 編輯 ] |
|
免費(fèi)注冊(cè)
發(fā)表于 2007-01-03 18:53
發(fā)表于 2007-01-04 01:15
