Merhaba,
OpenBSD 4.2'yi üzerinde pf kullanarak firewall olarak konfigüre ettim. Kurallarımı /etc/firewall altında filter.rules ve nat.rules şeklinde oluşturdum Bir de bu pf leri yenilemek için yenile adında bir script yazdım. Fakat ne zaman kurallarımı yenilemek istesem aşağıdaki hatayı alıyorum ve internete çıkamıyorum.Sanırım hata filter.rules'den kaynaklanıyor fakat bir türlü çözemedim Bu konuda yardımcı olursanız çok sevinirim. Teşekkürler pfctl: Must enable table loading for optimizations Özge Script pfctl -Fa pfctl -N -f /etc/firewall/nat.rules pfctl -R -f /etc/firewall/filter.rules filter.rules ### Interface tanimlari internal = "xl0" external = "fxp0" ### IP tanimlari extnet = "192.168.2.0/24" intnet = "172.16.0.0/18" fwint = "172.16.1.3/32" fwext = "192.168.2.3/32" squid = "172.16.1.3/32" sinirsiz = "{ 172.16.1.2/32, 172.16.22.22/32 }" ### Passive FTP ports FTPProxyPorts = " { 55000 >< 57000 }" ### non-routable network tanimlari nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 224.0.0.0/3, 255.255.255.255/32 }" scrub in all ### Loopback interface'e her turlu trafik için izin verilir pass out quick on lo0 from any to any pass in quick on lo0 from any to any ### Internal interface'e her turlu trafik icin izin verilir pass out quick on $internal from any to any pass in quick on $internal from any to any ### redirected icmp paketleri engellenir block in log quick on $external inet proto icmp from any to any icmp-type redir ### non routable networklerden gelen paketler engellnir block in quick on $external from $nonroutable to any ### non routable networklere giden paketler engellenir block out quick on $external from any to $nonroutable ### icmp echo için izin verilir #pass in quick on $external inet proto icmp from any to any icmp-type { echorep, echoreq, timex, unreach } ### izin verilenler disinda icmp paketleri engellenir block in log quick on $external inet proto icmp from any to any ### Proxy rules pass out quick on $external inet proto tcp from $squid to any port = 10000 flags S/SA keep state pass out quick on $external inet proto tcp from $squid to any port = 80 flags S/SA keep state pass out quick on $external inet proto tcp from $squid to any port = 53 flags S/SA keep state pass out quick on $external inet proto udp from $squid to any port = 53 keep state ### Sinirsiz kullanicilar pass out quick on $external inet proto tcp from $sinirsiz to any flags S/SA keep state pass out quick on $external inet proto udp from $sinirsiz to any pass out quick on $external inet proto icmp from $sinirsiz to any keep state ### Disari cikisa kayitsiz sartsiz izin veriliyor pass out quick on $external inet proto tcp from any to any flags S/SA keep state pass out quick on $external inet proto udp from any to any pass out quick on $external inet proto icmp from any to any keep state ### Danger paketleri engellenir block return-rst in log quick on $external inet proto tcp from any to any block return-icmp in log quick on $external inet proto udp from any to any block in log quick on $external all nat.rules ### Interface tanimlari internal = "xl0" external = "fxp0" ### IP tanimlari extnet = "192.168.2.0/24" intnet = "172.16.0.0/18" fwint = "172.16.1.3/32" fwext = "192.168.2.3/32" squid = "172.16.1.3/32" sinirsiz = "{ 172.16.1.2/32, 172.16.22.22/32 }" ### Redirect outbond FTP traffic to use ftp-proxy #rdr on $internal proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ### Proxy nat nat on $external from $squid to any -> $fwext rdr on $external proto tcp from 213.194.88.80/28 to $fwext port 10000 -> $squid port 10000 rdr on $external proto tcp from 81.214.12.130/32 to $fwext port 10000 -> $squid port 10000 ### nat for local network nat on $external from $intnet to any -> $fwext ### sinirsizlar nat on $external from $sinirsiz to any -> $fwext