Chinaunix首页 | 论坛 | 博客
  • 博客访问: 161616
  • 博文数量: 22
  • 博客积分: 2140
  • 博客等级: 大尉
  • 技术积分: 242
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-31 17:40
文章分类

全部博文(22)

文章存档

2014年(1)

2010年(1)

2009年(2)

2008年(18)

分类: BSD

2008-06-14 17:13:48

在此感谢MadCat MKII.

Redirections

    重定向代表了pf的rdr规则。这些规则被用于对指定表中的主机进行基于状态的重定向。pf在第3层上重写入站连接的目标 ip地址和端口。重定向上下文的配置介绍如下:

    disable
        重定向在初始化时被禁用,可通过relayctl启用。

    forward to

[port number] options ...
        指定要使用的目标主机表;tables的相关信息可查看tables章节。如果未指定端口,则使用listen on中指定的端口。该命令可配置2条-第二条将作为备份表。至少有一条记录作为主要的表。

    listen on address port port [interface name]
        指定要监听的地址和端口。pf将为访问主要表或备份表中主机的特定目标重定向入站连接。rdr规则可被限制到指定的接口上。

    route to
[port number] options ...
        与forward to类似,但是直接将数据包路由到目标主机而不修改目标地址。这样就能用做“服务器直接返回”以迫使目标主机通过不同的网关来响应。记住主机必须接受相同地址的会话作为网关,通常通过将主机上的一个环回接口配置成该地址来实现。

    session timeout seconds
        为已建立的重定向指定非活跃的超时时间,单位为秒。默认超时是600秒。

    sticky-address
        与pf.conf中为rdr规则指定粘连地址具有相同效果。它将保证相同源地址的多个连接被映射到相同的重定向地址。

    tag name
        用提供的名称自动标记通过pf rdr规则的数据包。这样能使用更简单的过滤规则。

 

RELAYS(中继)


    中继将在客户和目标服务器之间转发通讯。与重定向和ip转发对比,一个中继会作为服务器接受远程客户的入站连接,建立到目标服务器的出站连接,并在第7层上转发目标主机和远程客户之间的所有通讯。中继也被称为应用层网关或第七层代理。

    中继的主要目的是提供基于特定协议属性的高级负载均衡功能,如HTTP头,提供SSL加速和允许对底层应用协议的基础操作。
    中继配置指南描述如下:

    disable
        启动中继但立即关闭所有接受的连接。
    [transparent] forward to address [port port] [retry number]
        指定要连接的目标主机的地址和端口。如果port选项没有设置,则使用listen on指定的port。

        使用transparent关键字可以起用完全透明模式;客户的源地址将被保留。

        可选的主机retry选项将作为允许连接主机失败的次数。

    forward to

[port port] options ...
        与上一配置项类似,但连接到指定表中的主机;查看前文的TABLES以获取关于table选项的信息。

    forward to nat lookup [retry number]
        当使用在pf.conf(5)中的rdr规则重定向连接到监听localhost的中继时,该配置项将查找需要连接的目标主机的真实目标地址,这将允许中 继作为透明代理运行。如果存在附加的到指定地址或表的forward to配置项,将会被用做nat查找失败时饿备用配置。

    listen on address [port port] [ssl]
        指定中继要监听的地址和端口。中继将会接受到指定地址的入站连接。如果port选项没有设置,将使用listen on的port设置。

        如果指定了ssl关键字,中继将使用加密的ssl协议接受入站连接。中继会在/etc/ssl/private/address.key中查找私钥,在 /etc/ssl/address.crt中查找公钥,此处address为中继监听的指定ip地址。查看ssl(8)以获取关于ssl服务器证书的详细 信息。

    protocol name
        为中继使用指定的协议定义。默认使用TCP协议。

    session timeout seconds
        为已接受的会话设置空闲超时时间,单位为秒。默认超时为600秒(10分钟)。

原文:

REDIRECTIONS
     Redirections represent a pf(4) rdr rule.  They are used for stateful
     redirections to the hosts in the specified tables.  pf(4) rewrites the
     target IP addresses and ports of the incoming connections, operating on
     layer 3.  The configuration directives that are valid in the redirect
     context are described below:

     disable
             The redirection is initially disabled.  It can be later enabled
             through relayctl(8).
              Specify the tables of target hosts to be used; see the TABLES
             section above for information about table options.  If the port
             option is not specified, the port from the listen on directive
             will be used.  This directive can be specified twice - the second
             entry will be used as the backup table if all hosts in the main
             table are down.  At least one entry for the main table is manda-
             tory.
              Specify an address and a port to listen on.  pf(4) will redirect
             incoming connections for the specified target to the hosts in the
             main or backup table.  The rdr rule can be optionally restricted
             to a given interface name.

     sticky-address
             This has the same effect as specifying sticky-address for an rdr
             rule in pf.conf(5).  It will ensure that multiple connections
             from the same source are mapped to the same redirection address.

     tag name
             Automatically tag packets passing through the pf(4) rdr rule with
             the name supplied.  This allows simpler filter rules.

RELAYS
     Relays will forward traffic between a client and a target server.  In
     contrast to redirections and IP forwarding in the network stack, a relay
     will accept incoming connections from remote clients as a server, open an
     outgoing connection to a target host, and forward any traffic between the
     target host and the remote client, operating on layer 7.  A relay is also
     called an application layer gateway or layer 7 proxy.

     The main purpose of a relay is to provide advanced load balancing func-
     tionality based on specified protocol characteristics, such as HTTP head-
     ers, to provide SSL acceleration and to allow basic handling of the
     underlying application protocol.

     The relay configuration directives are described below:

     disable
             Start the relay but immediately close any accepted connections.
              Specify the address and port of the target host to connect to.
             If the port option is not specified, the port from the listen on
             directive will be used.

             The optional host retry option will be used as a tolerance for
             failed host connections; the connection will be retried for
             number more times.
              Like the previous directive, but connect to a host from the
             specified table; see the TABLES section above for information
             about table options.
              When redirecting connections with an rdr rule in pf.conf(5) to a
             relay listening on localhost, this directive will look up the
             real destination address of the intended target host, allowing
             the relay to be run as a transparent proxy.  If an additional
             forward to directive to a specified address or table is present,
             it will be used as a backup if the NAT lookup failed.
              Specify the address and port for the relay to listen on.  The
             relay will accept incoming connections to the specified address.
             If the port option is not specified, the port from the listen on
             directive will be used.

             If the ssl keyword is present, the relay will accept connections
             using the encrypted SSL protocol.  The relay will look up a pri-
             vate key in /etc/ssl/private/address.key and a public certificate
             in /etc/ssl/address.crt, where address is the specified IP
             address of the relay to listen on.  See ssl(8) for details about
             SSL server certificates.

     protocol name
             Use the specified protocol definition for the relay.  The generic
             TCP protocol options will be used by default; see the PROTOCOLS
             section below.

     timeout seconds
             Specify the timeout in seconds for accepted sessions.  The
             default timeout is 600 seconds (10 minutes).

阅读(2627) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~