どうしても ipfw で動かない機能があったので
PFではどうかと思いチャレンジ!!
参考サイト
http://www.daily-labo.com/content_22.html
http://wirednoize.net/freebsd/index.php?pf (Packet Filter)
を参考に
動かすだけなら、、非常に簡単でした。。
1)カーネルのコンパイル(どうもなくても動きそうです。。)
GENERIC に追加した物
# ================================
device pf
device pflog
device pfsync
#
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
#==========================================
2) rc.conf に追加
#==========================================
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/packet_filter/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
#==========================================
3) pf.conf の作成
#==========================================
ext_if = "vge0"
ext_addr = "192.168.24.180"
int_if = "vge1"
int_addr = "192.168.12.180"
table
table
table
192.0.2/24, 192.88.99/24, 198.18/15, 223.255.255/24, 224/4, 240/4 }
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface vge0
set block-policy drop
set optimization normal
set state-policy if-bound
set require-order yes
set fingerprints "/etc/paket_filter/pf.os"
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all max-mss 1414
nat on $ext_if inet from 192.168.12.0/24 to !
block in log all
block out log all
block in log quick on $ext_if from {
pass in on $ext_if proto tcp from any to $ext_addr port {smtp domain http} flags S/SA keep state
block in log quick on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} to $ext_addr port smtp
block return-rst in quick on $ext_if proto tcp from any to any port 113
block in log quick on $ext_if proto tcp all
pass in quick on $ext_if proto udp from any to $ext_addr port domain keep state
block in log quick on $ext_if proto udp all
pass in quick on $ext_if inet proto icmp all icmp-type 3
pass in quick on $ext_if inet proto icmp all icmp-type 11
block in log quick on $ext_if proto icmp all
block out quick on $ext_if from any to {
block out quick on $ext_if proto {tcp udp} from any to any port 135
block out quick on $ext_if proto {tcp udp} from any to any port 137:139
block out quick on $ext_if proto {tcp udp} from any to any port 445
block out quick on $ext_if proto {tcp udp} from any to any port 1433:1434
pass out quick on $ext_if proto tcp all modulate state
pass out quick on $ext_if proto udp all keep state
pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
block out log quick on $ext_if proto icmp all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on lo0 all
pass out quick on lo0 all
#==========================================
でNATととしては動作しました、
これから運用して試してみます。