幫我為 OpenBSD 4.7 升級我的 pf.conf

我正計劃將我的 OpenBSD 升級到 4.7（從 4.6），您可能知道也可能不知道，他們更改了 pf.conf 的語法。

這是升級指南中的相關部分：

pf(4) NAT 語法更改

正如此郵件列表文章中更詳細描述的那樣，PF 的單獨 nat/rdr/binat（翻譯）規則已替換為正常匹配/過濾規則的操作。簡單的規則集可以這樣轉換：

nat on $ext_if from 10/8 -> ($ext_if)
rdr on $ext_if to ($ext_if) -> 1.2.3.4

變成

match out on $ext_if from 10/8 nat-to ($ext_if)
match in on $ext_if to ($ext_if) rdr-to 1.2.3.4

和…

binat on $ext_if from $web_serv_int to any -> $web_serv_ext

變成

match on $ext_if from $web_serv_int to any binat-to $web_serv_ext

nat-anchor 和/或 rdr-anchor 行，例如 relayd(8)、ftp-proxy(8) 和 tftp-proxy(8)，不再使用，應該從 pf.conf(5) 中刪除，只留下錨線。與這些和 spamd(8) 相關的翻譯規則將需要適當調整。

注意：以前，轉換規則具有“在第一次匹配時停止”的行為，首先評估 binat，然後是 nat/rdr，具體取決於數據包的方向。現在過濾器規則受制於通常的“最後匹配”行為，因此在轉換時必須注意規則排序。

pf(4) route-to/reply-to 語法更改

pf.conf 中的 route-to、reply-to、dup-to 和 fastroute 選項移至 filteropts；

pass in on $ext_if route-to (em1 192.168.1.1) from 10.1.1.1
pass in on $ext_if reply-to (em1 192.168.1.1) to 10.1.1.1

變成

pass in on $ext_if from 10.1.1.1 route-to (em1 192.168.1.1)
pass in on $ext_if to 10.1.1.1 reply-to (em1 192.168.1.1)

現在，這是我目前的 pf.conf：

#       $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"

polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"

table <leechers> persist

set loginterface $ext_if
set skip on lo

match on $ext_if all scrub (no-df max-mss 1440)

altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

nat on $ext_if from !($ext_if) -> ($ext_if)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22

rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600

anchor "ftp-proxy/*"

block

pass on $int_if queue(q_hi, q_pri)

pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)

pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)

pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri

如果有人有將 4.6 pf.conf 移植到 4.7 的經驗，請幫助我進行正確的更改。

好的，這就是我已經走了多遠：

我註釋掉了nat-anchorand rdr-anchor，如指南中所述：

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"

這就是我“轉換” rdr 規則的方式：

#nat on $ext_if from !($ext_if) -> ($ext_if)
match out on $ext_if from !($ext_if) nat-to ($ext_if)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
match in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
match in on $ext_if proto tcp tp port 2080 rdr-to $segatop port 80
#rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22
match in on $ext_if proto tcp tp port 2022 rdr-to $segatop port 22

rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
match in on $ext_if proto tcp tp port 4000 rdr-to $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600
match in on $ext_if proto tcp tp port 6600 rdr-to $polemon port 6600

我錯過了什麼嗎？ftp-proxy 的錨點是否像現在一樣？我需要更改其他pass in on...行中的某些內容嗎？

似乎沒有人能夠或願意幫助我…… :(

但我設法讓它自己工作。這是工作pf.conf（適用於 OpenBSD 4.8）

#       $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"

polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"

table <leechers> persist

set loginterface $ext_if
set skip on lo

match on $ext_if all scrub (no-df max-mss 1440)

altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0

block

match out on $ext_if from !($ext_if) nat-to ($ext_if)
pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in on $ext_if proto tcp to port 2080 rdr-to $segatop port 80
pass in on $ext_if proto tcp to port 2022 rdr-to $segatop port 22
pass in on $ext_if proto tcp to port 4000 rdr-to $polemon port 4000
pass in on $ext_if proto tcp to port 6600 rdr-to $polemon port 6600

anchor "ftp-proxy/*"

pass on $int_if queue(q_hi, q_pri)

pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)

pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)

pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri

我讓它工作了六個多月了。由於沒有人發布答案並且現在基本上可以正常工作，因此我決定發布自己的解決方案。鑑於此執行緒的瀏覽量超過 1k，這可能對某人有所幫助…

引用自：https://serverfault.com/questions/175405