[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
用beta3吧![05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
我昨晚测试了freebsd+pf,其他的全部关掉,还是被封。今天可能没时间测试beta3,不过光盘已经刻录了,看看明天能不能帮你测试
[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
我说的PF是指Pfsenses,并不特指包过滤。就是用scrub来改。另 TO hfjuncn :
请注意你的fredsd+pf中的scrub命令有没有真的发生作用了,你抓包看过吗?
[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
我用freebsd+bf,也是用scrub。试过抓包,但不是很了解,看过ipid是随机的,但是ttl没有生效,就是没有具体指定某个数值。pfsense也是用pf的吧,我现在还没有测试过,如果纯粹用pf.conf能避免被封倒要好好看看
[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
如果你设了ttl没生效,说明你加的scrub没发生作用.好好看看命令是否对,特别是外网接口是否写对.[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
命令应该正确吧,看了手册好多次了,是不是抓包搞错呢?scrub on $ext_if all fragment reassemble reassemble tcp random-id no-dfmin-ttl 128 max-mss 1452
其中$ext_if是tun0,后来还对两张网卡进行整形。
[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
我的pf.conf:ext_if="tun0"
int_if="rl1"
loop="lo0"
tcp_services = "22"
internal_net="192.168.0.0/24"
external_addr="192.168.10.3"
squid="192.168.0.1"
set block-policy return
set loginterface $ext_if
scrub on $ext_if all fragment reassemble reassemble tcp random-id no-df min-ttl 128 max-mss 1400
rdr on $int_if proto tcp from $internal_net to any port http -> $squid port 3128
rdr on $ext_if inet proto tcp from any to ($ext_if) port 6251 -> 192.168.0.18
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all
block all
pass quick on $loop all
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
block in quick on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto tcp from any to 192.168.0.18 port 6251 keep state
block drop in quick on $ext_if from $internal_net to any
block drop out quick on $ext_if from any to $internal_net
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Danger_Port="{445 135 139 593 5554 9995 9996}"
block quick on $int_if inet proto tcp from any to any port $Danger_Port
block quick on $ext_if inet proto tcp from any to any port $Danger_Port
block log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block quick on $ext_if inet proto tcp from any to any flags /SFRA
block quick on $ext_if os NMAP
noroute="{127.0.0.1/8,127.16.0.0/12,10.0.0/8,255.255.255.255/32}"
antispoof quick for $int_if inet
block quick on $ext_if inet from $noroute to any
block quick on $ext_if inet from any to $noroute
[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
确认pf已经打开?规则已经加载?用的是adsl拨号?[05.04] 谁有网络尖兵的环境,帮忙测试一下效果!
确认pf已经打开,规则已经加载了,pfctl -sa|more可以看到规则,用的是电信的adsl拨号,外网接口就是tun0了,这些应该没错的。