ipf问题，大家帮帮我呀

cls · 发表于 2005-7-27 01:40:01

我要实现的功能是

某个用户只能用25和110端口。别的端口都不能用

这样的规则我要怎么写呀？

pass in quick on vr1 proto tcp/udp from 192.168.0.10/32 port = 21 to any keep state
block in on vr1 from 192.168.0.10/32 to any

这个没有用的

cls · 发表于 2005-7-27 07:59:17

还有就是我想让某个内网用户只能使用内网。不能出外网。
这样要怎么写规则呀

Eg_zm · 发表于 2005-7-28 16:31:03

pass in quick on vr1 proto tcp from 192.168.0.10/32 to any port = 25 keep state
pass in quick on vr1 proto tcp from 192.168.0.10/32 to any port = 110 keep state
block in quick on vr1 from 192.168.0.10/32 to any

记得把这些防在你的规则的最上面．

防火墙是防在边界的，控制你的内网和外网的使用的，不经过他的流量是没有办法控制的，这个你要明白．

cls · 发表于 2005-7-29 22:15:08

block in quick all with short
block in quick all with ipopts
block in log quick all with short
block in log quick all with ipopts
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 25 keep state
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 110 keep state
block in quick on vr0 from 192.168.0.10/32 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick all
pass out quick all

我所有的规则是这样的。

vr0 是外网卡
vr1 是内网卡

用vr1的话。指定的客户机就连内网也上不了。
vr0 什么反应也没有。一样能上呀

gvim · 发表于 2005-7-29 22:24:56

我回答不了你，你可以去www.freebsdchina.org或者cnfug问，那里高手非常多．

Eg_zm · 发表于 2005-8-1 13:38:51

Post by cls
block in quick all with short
block in quick all with ipopts
block in log quick all with short
block in log quick all with ipopts
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 25 keep state
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 110 keep state
block in quick on vr0 from 192.168.0.10/32 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick all
pass out quick all

我所有的规则是这样的。

vr0 是外网卡
vr1 是内网卡

用vr1的话。指定的客户机就连内网也上不了。
vr0 什么反应也没有。一样能上呀

block in quick all with ipopts
block in log quick all with short
block in log quick all with ipopts
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 25 keep state
pass in quick on vr0 proto tcp from 192.168.0.10/32 to any port = 110 keep state
pass in quick on vr1 all keep state
pass out quick on vr1 all keep state
pass out quick on vr0 all keep state

cls · 发表于 2005-8-3 11:56:32

多谢楼上的。
vr0和vr1都要写入规则

基本是搞定了。我再测试测试

cls · 发表于 2005-8-3 17:00:36

pass 再 block 好像pass就不起作用了？不知道怎么回事？
好像是解析域名有问题。

暂时的办法是用block不用的端口。用的端口不管它好象可以用

		自动登录	找回密码
密码			注册