如何使用 FreeBSD 的数据包筛选器在 Azure 中创建安全防火墙How to use FreeBSD's Packet Filter to create a secure firewall in Azure

本文介绍如何通过 Azure Resource Manager 模板使用 FreeBSD 的数据包筛选器为通用 Web 服务器方案部署 NAT 防火墙。This article introduces how to deploy a NAT firewall using FreeBSD's Packer Filter through Azure Resource Manager template for common web server scenario.

什么是 PF?What is PF?

PF(数据包筛选器,也写为 pf)是 BSD 许可的有状态数据包筛选器,是用于创建防火墙的软件的中心部分。PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. 由于 PF 的快速发展,现在相比其他可用的防火墙具有一些优势。PF has since evolved quickly and now has several advantages over other available firewalls. 从一开始 PF 就包括网络地址转换 (NAT) 功能,随后通过集成 ALTQ 并可使用 PF 的配置对其进行配置,将数据包计划程序和活动队列管理功能集成到 PF。Network Address Translation (NAT) is in PF since day one, then packet scheduler and active queue management have been integrated into PF, by integrating the ALTQ and making it configurable through PF's configuration. PF 具有一些扩展功能,例如用于故障转移和冗余的 pfsync 和 CARP、用于会话身份验证的 authpf,以及用于简化使用复杂的 FTP 协议创建防火墙的 ftp-proxy 等。Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF. 简而言之,PF 是一个功能强大且丰富的防火墙。In short, PF is a powerful and feature-rich firewall.

入门Get started

如果有兴趣在云中为 Web 服务器设置安全防火墙,那么让我们开始吧。If you are interested in setting up a secure firewall in the cloud for your web servers, then let's get started. 还可以将此 Azure Resource Manager 模板中使用的脚本应用于网络拓扑的设置。You can also apply the scripts used in this Azure Resource Manager template to set up your networking topology. Azure Resource Manager 模板设置一个使用 PF 执行 NAT/重定向的 FreeBSD 虚拟机和两个安装并配置了 Nginx Web 服务器的 FreeBSD 虚拟机。The Azure Resource Manager template set up a FreeBSD virtual machine that performs NAT /redirection using PF and two FreeBSD virtual machines with the Nginx web server installed and configured. 除了为两个 Web 服务器出口流量执行 NAT,NAT/重定向虚拟机还在轮询机制下截获 HTTP 请求并将其重定向到这两个 Web 服务器。In addition to performing NAT for the two web servers egress traffic, the NAT/redirection virtual machine intercepts HTTP requests and redirect them to the two web servers in round-robin fashion. VNet 使用专用的不可路由 IP 地址空间 10.0.0.2/24,可以修改模板的参数。The VNet uses the private non-routable IP address space 10.0.0.2/24 and you can modify the parameters of the template. Azure Resource Manager 模板还为整个 VNet 定义路由表,该路由表是用于替代基于目标 IP 地址的 Azure 默认路由的各个路由的集合。The Azure Resource Manager template also defines a route table for the whole VNet, which is a collection of individual routes used to override Azure default routes based on the destination IP address.

pf_topology

通过 Azure CLI 进行部署Deploy through Azure CLI

需要安装最新版 Azure CLI,并已使用 az login 登录 Azure 帐户。You need the latest Azure CLI installed and logged in to an Azure account using az login. 使用 az group create 创建资源组。Create a resource group with az group create. 以下示例在 China North 位置创建名为 myResourceGroup 的资源组。The following example creates a resource group name myResourceGroup in the China North location.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

az group create --name myResourceGroup --location chinanorth

接下来,运行 az group deployment create 来部署模板 pf-freebsd-setup。Next, deploy the template pf-freebsd-setup with az group deployment create. 在相同的路径下面下载 azuredeploy.parameters.json,然后定义你自己的资源值(如 adminPasswordnetworkPrefixdomainNamePrefix)。Download azuredeploy.parameters.json under the same path and define your own resource values, such as adminPassword, networkPrefix, and domainNamePrefix.

az group deployment create --resource-group myResourceGroup --name myDeploymentName \
    --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/pf-freebsd-setup/azuredeploy.json \
    --parameters '@azuredeploy.parameters.json' --verbose

大约五分钟后,会获得 "provisioningState": "Succeeded" 的信息。After about five minutes, you will get the information of "provisioningState": "Succeeded". 然后用户可以使用 ssh 访问前端 VM (NAT) 或使用前端 VM (NAT) 的公共 IP 地址或 FQDN 在浏览器中访问 Nginx Web 服务器。Then you can ssh to the frontend VM (NAT) or access Nginx web server in a browser using the public IP address or FQDN of the frontend VM (NAT). 以下示例列出了分配给 myResourceGroup 资源组中前端 VM (NAT) 的 FQDN 和公共 IP 地址。The following example lists FQDN and public IP address that assigned to the frontend VM (NAT) in the myResourceGroup resource group.

az network public-ip list --resource-group myResourceGroup

后续步骤Next steps

是否要在 Azure 中设置自己的 NAT?Do you want to set up your own NAT in Azure? 是否开源、免费,但功能强大?Open Source, free but powerful? 那么 PF 是一个不错的选择。Then PF is a good choice. 通过使用模板 pf-freebsd-setup,只需要五分钟,即可在 Azure 中使用 FreeBSD 的 PF 为通用 Web 服务器方案创建具有轮循机制负载均衡的 NAT 防火墙。By using the template pf-freebsd-setup, you only need five minutes to set up a NAT firewall with round-robin load balancing using FreeBSD's PF in Azure for common web server scenario.

如果想要了解 Azure 中的 FreeBSD 产品,请参阅 Azure FreeBSD 简介If you want to learn the offering of FreeBSD in Azure, refer to introduction to FreeBSD on Azure.

如果想要了解有关 PF 的详细信息,请参阅 FreeBSD 手册PF - 用户指南If you want to know more about PF, refer to FreeBSD handbook or PF-User's Guide.