In this article, we plan the network topology, configure BSD, and use PF to implement policy routing. So what should I pay attention to during configuration? The following article will show you some gains.
1. Description:
This solution applies to operating systems that can use PF as a firewall, including FREEBSD, OPENBSD, and NETBSD. The so-called Policy Routing means that the server connects two ISP lines at the same time to implement packet requests from that Nic, And the packets are also sent out from that Nic when they are returned to the CLIENT.
2. Test topology:
The "3 interface Router" in the figure can be replaced by IP forwarding enabled in WIN2K or LINUX.
3. OPENBSD network settings:
Fxp0: 192.168.0.100 Ne3: 192.168.1.100 Gateway: 192.168.0.1
4. PF rules:
# Vi/etc/pf. conf
========================================================== ==========
If_isp1 = "fxp0"
If_isp2 = "ne3"
Gw_isp1 = "192.168.0.1" gw_isp2 = "192.168.1.10"
Block all
Pass quick on lo0 all
Pass in quick on $ if_isp1 reply-to ($ if_isp1 $ gw_isp1) proto {tcp, udp, icmp} to any keep state pass in quick on $ if_isp2 reply-to ($ if_isp2 $ gw_isp2) proto {tcp, udp, icmp} to any keep state
Pass out keep state
========================================================== ==========
For the convenience of the test, the above PF rules do not limit the ports of TCP/UDP protocols. You can modify it based on your actual situation. To facilitate the control of PF startup and shutdown, a SHELL step is listed below:
# Vi/etc/rc. d/pf. sh
========================================================== ==========
#! /Bin/sh
# Made by llzqq
# Pf startup scripts
#
Case "$1" in
Start)
If [-f/etc/pf. conf]; then/sbin/pfctl-e-f/etc/pf. conf
Fi
Stop)
/Sbin/pfctl-F all
/Sbin/pfctl-d
*)
Echo "$0 start | stop"
Esac
Exit 0