本文详细介绍了一套针对FTP代理服务的防火墙规则配置方案。包括内网接口(em0)和外网接口(em1)的设置,如何实现NAT转换、端口重定向以及特定端口的数据包过滤等。此外,还提供了对TCP协议的详细控制,如连接状态维护、快速通过规则及特定端口的流量调制。
int_if = "em0"
ext_if = "em1"
scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> (em1)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass quick on lo0 all
antispoof quick for $int_if inet
anchor "ftp-proxy/*"
pass on $int_if all keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 32822 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp,icmp} all keep state
ext_if = "em1"
scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> (em1)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass quick on lo0 all
antispoof quick for $int_if inet
anchor "ftp-proxy/*"
pass on $int_if all keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 32822 flags S/SA keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp,icmp} all keep state
转载于:https://blog.51cto.com/cqfish/138699
扫一扫
1713
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
