http://bbs3.chinaunix.net/thread-1522657-1-1.html 原贴出处
非常感谢 congli
已测试成功,原来nat-anchor, rdr-anchor 用法跟普通anchor一样, 只是用的位置有限制,跟我当初的想法一样,就是试不出来, 可是今天一试,竟然全都OK了
大致把试验过程记录一下,看过PF的网友应该一眼就看明白了
回到第一贴对比了一下之前写的规则
echo "pass in on xl0 inet proto tcp from any to 192.168.0.23 "|pfctl -a "myanchor/new_rules" -f
不同之处在于 myanchor/new_rules ==>> myanchor:new_rules 将 / 号换成 :号就可以了
以rdr-anchor为例简单备注
设置一个 rdr-anchor relayd/*
[Copy to clipboard] [ - ]CODE:添加规则
sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'
[Copy to clipboard] [ - ]CODE:显示所有的anchor
$ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
relayd:web <<--------- 新增加的web端口转发
查看刚才添加的 relayd:web 规则
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "relayd:web" -sn
rdr on xl0 inet proto tcp from any to any port = http -> 192.168.0.115 port 8080
[Copy to clipboard] [ - ]CODE:执行清除 relayd:web 规则的操作
[bsd@bsd ] $ sudo pfctl -a "relayd:web" -F nat
nat cleared <<--- 已提示清除成功
查找是否清除
[bsd@bsd ] $ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
=================================================
设置 nat-anchor nat_anchor/*
[Copy to clipboard] [ - ]CODE:sudo sh -c 'echo "nat on xl0 from 192.168.0.23 to any -> xl0 "|pfctl -a nat_anchor:tt -f -'
[Copy to clipboard] [ - ]CODE:sudo pfctl -sA
goodguys
myanchor
nat_anchor
nat_anchor:tt
relayd
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "nat_anchor:tt" -sn
nat on xl0 inet from 192.168.0.23 to any -> { 192.168.1.222, 192.168.1.112, 192.168.1.113, 192.168.1.114, 192.168.1.115 } round-robin
[Copy to clipboard] [ - ]CODE:[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -F n
nat cleared
[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -sn
pfctl: DIOCGETRULES: Invalid argument
[bsd@bsd ~] $ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
===============================================
设置 anchor myanchor
[Copy to clipboard] [ - ]CODE:$ sudo sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'
[code]
[code]
$ sudo pfctl -sA
goodguys
myanchor
myanchor:tt
nat_anchor
relayd
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "myanchor:tt" -sr
pass in quick on xl0 all flags S/SA keep state
===========================
/ 跟 : 的用法应该有点不一样.
在使用authpf时候,要查看某个用户载入规则,就得用下面形式:
# pfctl -a "authpf/hsw(19490)" -s r
# pfctl -sA
authpf
非常感谢 congli
已测试成功,原来nat-anchor, rdr-anchor 用法跟普通anchor一样, 只是用的位置有限制,跟我当初的想法一样,就是试不出来, 可是今天一试,竟然全都OK了
大致把试验过程记录一下,看过PF的网友应该一眼就看明白了
回到第一贴对比了一下之前写的规则
echo "pass in on xl0 inet proto tcp from any to 192.168.0.23 "|pfctl -a "myanchor/new_rules" -f
不同之处在于 myanchor/new_rules ==>> myanchor:new_rules 将 / 号换成 :号就可以了
以rdr-anchor为例简单备注
设置一个 rdr-anchor relayd/*
[Copy to clipboard] [ - ]CODE:添加规则
sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'
[Copy to clipboard] [ - ]CODE:显示所有的anchor
$ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
relayd:web <<--------- 新增加的web端口转发
查看刚才添加的 relayd:web 规则
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "relayd:web" -sn
rdr on xl0 inet proto tcp from any to any port = http -> 192.168.0.115 port 8080
[Copy to clipboard] [ - ]CODE:执行清除 relayd:web 规则的操作
[bsd@bsd ] $ sudo pfctl -a "relayd:web" -F nat
nat cleared <<--- 已提示清除成功
查找是否清除
[bsd@bsd ] $ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
=================================================
设置 nat-anchor nat_anchor/*
[Copy to clipboard] [ - ]CODE:sudo sh -c 'echo "nat on xl0 from 192.168.0.23 to any -> xl0 "|pfctl -a nat_anchor:tt -f -'
[Copy to clipboard] [ - ]CODE:sudo pfctl -sA
goodguys
myanchor
nat_anchor
nat_anchor:tt
relayd
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "nat_anchor:tt" -sn
nat on xl0 inet from 192.168.0.23 to any -> { 192.168.1.222, 192.168.1.112, 192.168.1.113, 192.168.1.114, 192.168.1.115 } round-robin
[Copy to clipboard] [ - ]CODE:[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -F n
nat cleared
[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -sn
pfctl: DIOCGETRULES: Invalid argument
[bsd@bsd ~] $ sudo pfctl -sA
goodguys
myanchor
nat_anchor
relayd
===============================================
设置 anchor myanchor
[Copy to clipboard] [ - ]CODE:$ sudo sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'
[code]
[code]
$ sudo pfctl -sA
goodguys
myanchor
myanchor:tt
nat_anchor
relayd
[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "myanchor:tt" -sr
pass in quick on xl0 all flags S/SA keep state
===========================
/ 跟 : 的用法应该有点不一样.
在使用authpf时候,要查看某个用户载入规则,就得用下面形式:
# pfctl -a "authpf/hsw(19490)" -s r
# pfctl -sA
authpf