On 5/12/05, Alex Zbyslaw <[EMAIL PROTECTED]> wrote: > Tomas Quintero wrote: > > >PF is wonderful for this. I manage a router with 3 DSL Circuits and > >have PF setup to round-robin between them. The configuration is fairly > >simple, and I can provide my pf.conf if you'd like for some > >clarification on how to go about doing it. > > > > > I'd be interested to see how it's done. I don't have any experience of PF > (just IPFW) and seeing good, working examples always helps in understanding > new stuff. If you would forward me a copy, I'd be grateful, and it's the > kind of resource it's nice to run across when searching archives, if you're > prepared to post it to the list. > > Best, > > --Alex > >
I got two emails back for it, including Alex's, so I'll go ahead and post the config for the list. The setup is for a Game/LAN center, so we're pretty lenient on what goes out, which is why I haven't setup an inclusive firewall block list. Anyways here is the config. There are currently two of the three circuits going through it, however it would be as simple as adding the third iface name to th the ext_ifs macro to enable it. If there are any questions on any part of the setup, feel free to ask. ### MACROS AND TABLES ### # interfaces ext_ifc1="rl0" ext_ifc2="xl0" ext_ifs="{" $ext_ifc1 $ext_ifc2 "}" int_if="rl2" # single ips ext_c1ip="(" $ext_ifc1 ")" ext_c2ip="(" $ext_ifc2 ")" ext_ips="{" $ext_ifc1 $ext_ifc2 "}" ext_firstips="(" $ext_ifc1:0 $ext_ifc2:0 ")" int_ip="(" $int_if ")" # networks int_net="(" $int_if:network ")" ### OPTIONS ### # rule: about 1000 states per 1MB of ram, and we have 1GB of ram set limit states 500000 # normal timeouts for everything, aggressive would mitigate ddos attacks, however could timeout valid connections too soon set optimization normal # silently drop all packets matching a block rule set block-policy drop # we don't want to do any filtering on lo0, nothing gets here except what we explicitly put there #set skip will be commented until implemented #set skip on lo0 ### TRAFFIC NORMALIZATION ### # might break games, commented out now #scrub in all no-df random-id fragment reassemble ### QUEUEING ### ### TRANSLATION ### # nat all outbound with all our ips nat on $ext_ifs inet from $int_net to any -> $ext_ips round-robin sticky-address # make any ftp stuff use our ftp proxy rdr on $int_if inet proto tcp from $int_net to any port ftp -> 127.0.0.1 port 8021 ### PACKET FILTERING ### # default policy block in log all pass out all modulate state # allow internal traffic to flow freely pass in quick on $int_if inet from $int_net to any modulate state # allow ssh inbound pass in quick on $ext_ifs inet proto tcp from any to $ext_ips port ssh flags S/FSRPA modulate state -- -Tomas Quintero _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"