*BSD中文用户社区

代码: 全选

pass proto tcp from any to $webserver port $webports synproxy state

代码: 全选

pass proto tcp from any to $emailserver port $email synproxy state

代码: 全选

pass log proto tcp from $emailserver to any port smtp synproxy state

代码: 全选

pass inet proto { tcp, udp } from any to $nameservers port domain

代码: 全选

ext_if = "ep0" # macro for external interface - use tun0 or pppoe0 for PPPoE
int_if = "ep1" # macro for internal interface
localnet = $int_if:network
webserver = "192.0.2.227"
webports = "{ http, https }"
emailserver = "192.0.2.225"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
nameservers = "{ 192.0.2.221, 192.0.2.223 }"
client_out = "{ ssh, domain, pop3, auth, nntp, http,\
https, cvspserver, 2628, 5999, 8000, 8080 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
block all
pass quick inet proto { tcp, udp } from $localnet to any port $udp_services
pass log inet proto icmp all icmp-type $icmp_types
pass inet proto tcp from $localnet to any port $client_out
pass inet proto { tcp, udp } from any to $nameservers port domain
pass proto tcp from any to $webserver port $webports synproxy state
pass log proto tcp from any to $emailserver port $email synproxy state
pass log proto tcp from $emailserver to any port smtp synproxy state

代码: 全选

pass in on $ext_if proto { tcp, udp } from any to $nameservers port domain
pass in on $int_if proto { tcp, udp } from $localnet to $nameservers port domain
pass out on $dmz_if proto { tcp, udp } from any to $nameservers port domain
pass in on $ext_if proto tcp from any to $webserver port $webports
pass in on $int_if proto tcp from $localnet to $webserver port $webports
pass out on $dmz_if proto tcp from any to $webserver port $webports
pass in log on $ext_if proto tcp from any to $mailserver port smtp
pass in log on $int_if proto tcp from $localnet to $mailserver port $email
pass out log on $dmz_if proto tcp from any to $mailserver port smtp
pass in on $dmz_if from $mailserver to any port smtp
pass out log on $ext_if proto tcp from $mailserver to any port smtp

代码: 全选

webpool = "{ 192.0.2.214, 192.0.2.215, 192.0.2.216, 192.0.2.217 }"

代码: 全选

rdr on $ext_if from any to $webserver port $webports -> $webpool \
round-robin sticky-address

代码: 全选

rdr on $ext_if from any to $webserver port $webports -> $webpool random

代码: 全选

rdr-anchor "hoststated/*"

代码: 全选

webpool = "{ 192.0.2.214, 192.0.2.215, 192.0.2.216, 192.0.2.217 }"

代码: 全选

rdr on $ext_if from any to $webserver port $webports -> $webpool \
round-robin sticky-address

代码: 全选

table <webpool> persist { 192.0.2.214, 192.0.2.215, 192.0.2.216, 192.0.2.217 }

代码: 全选

rdr on $ext_if from any to $webserver port $webports -> <webpool> \
round-robin sticky-address

代码: 全选

table webpool {
        check http "/status.html" code 200
        timeout 300
        real port 80
        host $web1
        host $web2
        host $web3
        host $web4
}

代码: 全选

interval 5 # check hosts every 5 seconds

代码: 全选

table webpool {
        check http "/status.html" code 200
        timeout 300
        real port 80
        host $web1
        host $web2
        host $web3
        host $web4
}

代码: 全选

table sorry {
        check icmp
        real port 80
        host $sorry_server
}
service www {
        virtual ip $webserver port 80
        table webpool
        backup table sorry
}

代码: 全选

hoststated_flags="" # for normal use: ""

代码: 全选

$ sudo hoststatectl show summary
Type         Id      Name                 Avlblty    Status
service       0      www                             active
table         0      webpool                         active (2 hosts up)
host          3      192.0.2.217          0.00%      down
host          2      192.0.2.216          100.00%    up
host          1      192.0.2.215          0.00%      down
host          0      192.0.2.214          100.00%    up
table         1      sorry                           active (1 hosts up)
host          4      192.0.2.200          100.00%    up

代码: 全选

$ sudo hoststatectl show hosts
Type       Id     Name                  Avlblty  Status
service     0     www                            active
table       0     webpool                        active (2 hosts up)
host        3     192.0.2.217           0.00%    down
                  total: 0/6 checks
host        2     192.0.2.216           100.00%  up
                  total: 0/6 checks
host        1     192.0.2.215           0.00%    down
                  total: 0/6 checks
host        0     192.0.2.214           100.00%  up
                  total: 6/6 checks
table       1     sorry                          active (1 hosts up)
host        4     192.0.2.200           100.00%  up
                  total: 6/6 checks

代码: 全选

$ sudo hoststatectl host disable 192.168.103.1

代码: 全选

$ sudo hoststatectl host enable 192.168.103.1

代码: 全选

protocol httpssl {
                protocol http
                         header append "$REMOTE_ADDR" to "X-Forwarded-For"
                         header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
                         header change "Keep-Alive" to "$TIMEOUT"
                         url hash "sessid"
                         cookie hash "sessid"
                         path filter "*command=*" from "/cgi-bin/index.cgi"

                         ssl { sslv2, ciphers "MEDIUM:HIGH" }
                         tcp { nodelay, sack, socket buffer 65536, backlog 128 }
}

代码: 全选

relay wwwssl {
              # Run as a SSL accelerator
              listen on $webserver port 443 ssl
              protocol httpssl
              table webhosts loadbalance
}

代码: 全选

webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver
pass proto tcp from any to $webserver port $webports synproxy state
pass proto tcp from any to $emailserver port $email synproxy state
pass proto tcp from $emailserver to any port smtp synproxy state

代码: 全选

pass in on $ext_if proto { tcp, udp } from any to $nameservers port domain
pass in on $int_if proto { tcp, udp } from $localnet to $nameservers port domain
pass out on $dmz_if proto { tcp, udp } from any to $nameservers port domain
pass in on $ext_if proto tcp from any to $webserver port $webports
pass in on $int_if proto tcp from $localnet to $webserver port $webports
pass out on $dmz_if proto tcp from any to $webserver port $webports
pass in log on $ext_if proto tcp from any to $mailserver port smtp
pass in log on $int_if proto tcp from $localnet to $mailserver port $email
pass out log on $dmz_if proto tcp from any to $mailserver port smtp
pass in on $dmz_if from $mailserver to any port smtp
pass out log on $ext_if proto tcp from $mailserver to any port smtp

代码: 全选

webpool = "{ 192.168.2.7, 192.168.2.8, 192.168.2.9, 192.168.2.10 }"

代码: 全选

rdr on $ext_if from any to $webserver port $webports -> $webpool \
round-robin sticky-address

代码: 全选

webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
nat on $ext_if from $localnet to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver
pass proto tcp from any to $webserver port $webports synproxy state
pass proto tcp from any to $emailserver port $email synproxy state
pass proto tcp from $emailserver to any port smtp synproxy state

代码: 全选

rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $email -> $emailserver
no nat on $int_if proto tcp from $int_if to $localnet
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
nat on $int_if proto tcp from $localnet to $emailserver port $email -> $int_if

代码: 全选

# ifconfig sis2 group untrusted

代码: 全选

pass in on untrusted to any port $webports
pass out on egress to any port $webports