openBSD 搭 建 防 火 墙

根据本项目功能描述和企业需求，现制定一本项目的网络规划。具体描述如下：
1、 根据功能描述中各部门及每部门pc机的数量，为每个部门建立独立的子网：
办公室（100台）：
总经理办公室：192.168.2.0/24
综合办公室：192.168.3.0/24
营销部(800台)：172.16.0.0/16
财务部（80台）：192.168.4.0/24
生产部（500台）：172.17.0.0/16
信息部（20台）：192.168.5.0/24
公网服务器：192.168.6.0/24
公司内部服务器：192.168.7.0/24
公网服务器地址：192.168.6.2/24
内网服务器地址：192.168.7.2/24
2、网卡设置：
（1）内网卡
由于内网中各子网属于不同的段，为节省企业成本，本项目使用双口路由器、单网卡多ip配置，在内网卡中定义如下：
Inet 192.168..3.1 255.255.255.0 NONE
Inet alias 192.168.4.1 255.255.255.0 NONE
Inet alias 192.168.5.1 255.255.255.0 NONE
Inet alias 192.168.6.1 255.255.255.0 NONE
Inet alias 192.168.7.1 255.255.255.0 NONE
Inet alias 192.168.2.1 255.255.255.0 NONE
Inet alias 172.16.1.0 255.255.0.0 NONE
Inet alias 172.17.1.0 255.255.0.0 NONE
Inet alias 192.168.6.1 255.255.255.0 NONE
Inet alias 192.168.7.1 255.255.255.0 NONE
（2）外网卡
根据ISP提供的数据在外网卡上中设置如下信息：
Inet 202.97.11.2 255.255.255.240 NONE
Inet alias 202.97.11.3 255.255.255.240 NONE
Inet alias 202.97.11.4255.255.255.240 NONE
Inet alias 202.97.11.5 255.255.255.240 NONE
Inet alias 202.97.11.6 255.255.255.240 NONE
Inet alias 202.97.11.7 255.255.255.240 NONE
Inet alias 202.97.11.8 255.255.255.240 NONE
Inet alias 202.97.11.9 255.255.255.240 NONE
Inet alias 202.97.11.10 255.255.255.240 NONE
Inet alias 202.97.11.11 255.255.255.240 NONE
并在resolv.conf中写入DNS信息：
Nameserver 202.97.240.68
在rc.local中写入网关信息：
/sbin/route add 0.0.0.0/ 202.97.11.1
3、为实现营销部和IT信息部所有机器都可以访问Internet及部门间的访问规则应在pf.conf中定义各子网：
table {192.168.2.0/24}
table {192.168.2.2/32,192.168.2.3/32,192.168.2.4/32}
table {172.16.0.0/16}
table {127.17.0.0/16}
table {172.16.0.2/32, 172.16.0.3/32, 172.16.0.4/32}
table {192.168.4.0/24}
table {192.168.4.2/32,192.168.4.3/32,192.168.4.4/32}
table {192.168.3.0/24}
table {192.168.3.0/24}
table {192.168.3.2/32,192.168.3.3/32,192.168.3.4/32}
table {192.168.6.0/24}
table {192.168.7.0/24}
table {0.0.0.0/0,!10.0.0.0/8,!172.16.0.0./16,!172.17.0.0/16,!192.168.0.0/24}
4、使用nat转换实现公司人员按特定需求访问internet：
nat on $ext_if inet from -> $ext_if
nat on $ext_if inet from -> $ext_if
nat on $ext_if inet from < zjlbgs_inet> -> $ext_if
nat on $ext_if inet from -> $ext_if
nat on $ext_if inet from -> $ext_if
nat on $ext_if inet from -> $ext_if
5、使用rdr实现Internet访问公司公网服务
rdr pass on $ext_if proto tcp from any to port 21 -> 192.168.6.2
rdr pass on $ext_if proto tcp from any to port 80 -> 192.168.6.2
6、使用nat转换实现各部门访问外部Internet的需求：
7、根据部门间访问规则定义防火墙：
block in
block out
pass in quick on $ext_if all
pass out quick on $ext_if all
总经理办公室：zjlbgs rule
pass out quick on $int_if from to any
pass in quick on $int_if from to any
pass out quick on $ext_if from < zjlbgs_inet> to
综合办公室：zhbgs rule
pass out quick on $int_if from to 192.168.7.2
pass in quick on $int_if from to 192.168.7.2
pass in quick on $int_if from < zjlbgs_inet> to
pass out quick on $ext_if from < zjlbgs_inet > to
生产部：scb rule
pass out quick on $int_if from to 192.168.7.2
pass in quick on $int_if from to 192.168.7.2
pass in quick on $int_if from < scb_inet> to
pass out quick on $ext_if from < scb_inet > to
财务部：cwb rule
pass out quick on $int_if from to 192.168.7.2
pass in quick on $int_if from to 192.168.7.2
pass in quick on $int_if from < cwb_inet> to
pass out quick on $ext_if from < cwb_inet > to
营销部：yxb rule
pass out quick on $int_if from to 192.168.7.2
pass in quick on $int_if from to 192.168.7.2
pass in quick on $int_if from < private_yxb > to
pass out quick on $ext_if from < private_yxb > to
信息部：xxb rule
pass out quick on $int_if from to 192.168.7.2
pass in quick on $int_if from < private_xxb > to 192.168.7.2
pass in quick on $int_if from < private_xxb > to
pass out quick on $ext_if from < private_xxb > to