Neocekavana zmena default gateway

[Radek Krejča]

Ahoj,

> >
> Mohu videt konfiguraci PF ? (samozrejme bez primych address :)
> Vilem

klidne, uz jsem ji osekal pri experimentech tak, ze tam nezustalo skoro nic, pouze jsem vyhodil binat rules, bylo jich tam fakt hodne:
**************************************************************************************************
set limit { states 1000000, frags 1000000, src-nodes 500 }
set optimization aggressive

# Sitova rozhrani
ext_if		=	"em0"
int_if		=	"em1"

# Externi adresa
ext_addr	=	"178.255.168.19"

# Odstrizeni klienti
table <neplatici>	persist file "/usr/local/etc/pf/neplatici"

# Spammers
table <verejna_ip>	persist file "/usr/local/etc/pf/verejna_ip"
smtp_addr	=	"92.62.224.69"

# Klienti a jejich verejna ip
int_klient  =       "xxxx vnitrni"    # ukazka binat, vnitrni ip
ext_klient  =       "yyyy vnejsi"     # ukazka binat, vnejsi ip

scrub all fragment reassemble no-df

# Zakladni natovani
nat on $ext_if from "10.1.0.0/16"		-> $ext_addr

# Natovani klientu
binat   on $ext_if from $int_klient to any -> $ext_klient

# Odstrizeni klienti
rdr proto tcp from <neplatici> to any port 80 -> 172.16.163.2 port 80

# Firewall - pokusy
#block quick from any to em1:broadcast
#block log quick inet proto icmp from any to any icmp-type redir
#block quick on vlan1001 proto icmp

# Spammers
block proto tcp from 10.0.0.0/8   to any        port smtp
pass  proto tcp from 10.0.0.0/8   to $smtp_addr port smtp
pass  proto tcp from <verejna_ip> to any        port smtp

# Odstrizeni klienti
block from <neplatici> to any
pass  proto { tcp, udp } from <neplatici> to any port domain
pass  proto tcp from <neplatici> to 172.16.163.2 port 80
**************************************************************************************************