[05.04] 谁有网络尖兵的环境，帮忙测试一下效果！

hzl88688 · 发表于 2006-5-13 21:29:58

用beta3吧！

hfjuncn · 发表于 2006-5-14 11:30:42

我昨晚测试了freebsd＋pf，其他的全部关掉，还是被封。
今天可能没时间测试beta3，不过光盘已经刻录了，看看明天能不能帮你测试

new · 发表于 2006-5-14 15:23:08

我说的PF是指Pfsenses,并不特指包过滤。就是用scrub来改。
另 TO hfjuncn ：
请注意你的fredsd+pf中的scrub命令有没有真的发生作用了，你抓包看过吗？

hfjuncn · 发表于 2006-5-15 10:16:58

我用freebsd＋bf，也是用scrub。试过抓包，但不是很了解，看过ipid是随机的，但是ttl没有生效，就是没有具体指定某个数值。
pfsense也是用pf的吧，我现在还没有测试过，如果纯粹用pf.conf能避免被封倒要好好看看

new · 发表于 2006-5-15 14:46:28

如果你设了ttl没生效，说明你加的scrub没发生作用．好好看看命令是否对，特别是外网接口是否写对．

hfjuncn · 发表于 2006-5-15 23:32:01

命令应该正确吧，看了手册好多次了，是不是抓包搞错呢？
scrub on $ext_if all fragment reassemble reassemble tcp random-id no-df min-ttl 128 max-mss 1452
其中$ext_if是tun0，后来还对两张网卡进行整形。

hfjuncn · 发表于 2006-5-15 23:33:58

我的pf.conf：

ext_if="tun0"
int_if="rl1"
loop="lo0"
tcp_services = "22"
internal_net="192.168.0.0/24"
external_addr="192.168.10.3"
squid="192.168.0.1"
set block-policy return
set loginterface $ext_if
scrub on $ext_if all fragment reassemble reassemble tcp random-id no-df min-ttl 128 max-mss 1400
rdr on $int_if proto tcp from $internal_net to any port http -> $squid port 3128
rdr on $ext_if inet proto tcp from any to ($ext_if) port 6251 -> 192.168.0.18
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all
block all
pass quick on $loop all
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags SFUP/SFRAU
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU

block in quick on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto tcp from any to 192.168.0.18 port 6251 keep state
block drop in quick on $ext_if from $internal_net to any
block drop out quick on $ext_if from any to $internal_net
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Danger_Port="{445 135 139 593 5554 9995 9996}"
block quick on $int_if inet proto tcp from any to any port $Danger_Port
block quick on $ext_if inet proto tcp from any to any port $Danger_Port
block log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block quick on $ext_if inet proto tcp from any to any flags /SFRA
block quick on $ext_if os NMAP
noroute="{127.0.0.1/8,127.16.0.0/12,10.0.0/8,255.255.255.255/32}"
antispoof quick for $int_if inet
block quick on $ext_if inet from $noroute to any
block quick on $ext_if inet from any to $noroute

new · 发表于 2006-5-16 09:29:15

确认pf已经打开?规则已经加载?用的是adsl拨号?

hfjuncn · 发表于 2006-5-16 10:43:55

确认pf已经打开，规则已经加载了，pfctl -sa|more可以看到规则，
用的是电信的adsl拨号，外网接口就是tun0了，这些应该没错的。

new · 发表于 2006-5-16 10:59:40

哪你就试试pfsense吧,我抓包看过,用scrub能改ttl mtu no-df等.

账号		自动登录	找回密码
密码			注册