openbsd+PF+NAT多网卡配置方案

 

 

ext_if="vic0"
int_if="{vic1,vic2}"
#int_if="vic2"
#int_if1="10.10.10.0/16"
#int_if2="172.168.254.0/24"
lan_net="{10.10.10.0/16, 172.168.254.0/24}"
#lan_net="172.168.254.0/24"
ftp_port="{21,2201,20021}"
server="{53,80}"
#table persist

set skip on lo

scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) ->127.0.0.1 port 8021
nat on vic0 from 10.10.10.0/16 to any -> vic0
nat on vic0 from 172.168.254.0/24 to any -> vic0
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

anchor "ftp-proxy/*"
block in
pass quick on $int_if
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass out keep state
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto icmp to ($ext_if)
#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
~