[FUGSPBR] proxy transparente nat regras dinamicas
xmailx
xmailx em terra.com.br
Sex Ago 8 13:53:03 BRT 2003
Salve lista,
transparent proxy nat dynamic rules
proxy transparent nat regras dinamicas
Tenho um servidor freebsd 4.8 com squid, proxy transparent, nat e regras
dinamicas. O kernel esta' compilado para ipfw2. Estou enfrentando os
seguintes problemas:
a) funcionamento esquisito: as vezes o servidor parece entrar em loop. Tenho
observado nos logs que um determinado pacote e' permitido por uma regra, mas
depois e' bloqueado pela mesma regra.
b) problema com ftp: tenho um segundo servidor (192.168.1.2, dns + mail) com
freebsd na mesma rede, faco ftp para qualquer lugar sem problemas, mas as
estacoes win9x nao funcionam bem, abrem o site, informo a senha quando
necessario ou anonymous, mas depois para ou lista somente os diretorios de
primeiro nivel do site ftp, nao consegue listar um sub-diretorio.
c) nos logs percebo muitos deny in interface_externa na porta 80,
normalmente depois dos logs do divert
outras duvidas:
d)Tenho uma suspeita com o divert. Ele esta vindo antes do check-state.
Entao, teoricamente nao esta sendo criada uma regra dinamica para a
interface externa do servidor ao fazer o divert. Neste caso, o pacote de
retorno seria negado pelas regras seguintes porque nao existe uma regra
dinamica associada.
e) divert criar uma regra dinamica automaticamente? Ou devo colocar a regra
divert depois do check-state e usar algo como "divert natd all from any to
any via fxp0 keep-state"?
Nao encontrei literatura de como fazer este trio parada-dura
especificamente, normalmente encontro NATD+transparent, mas nada que inclua
regras dinamicas.
f) como estou usando proxy transparent como faco para direcionar tambem,
alem da porta, 80 as requisicoes para as portas 20,21,81,443, 1024-65535?
Alguma ideia de onde estou errando? Qualquer dica e' sempre bem vinda.
Grato a todos
xmailx
PS: O servidor de e-mail e dns esta rodando em outro servidor freebsd,
192.168.1.2
natd.conf:
interface fxp0
dynamic yes
same_ports yes
use_sockets yes
rc.conf:
nfs_reserved_port_only="YES"
sshd_enable="YES"
firewall_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
log_in_vain="YES"
tcp_extesions="NO"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icp_log_recirect="YES"
portmap_enable="NO"
gateway_enable="YES"
inetd_enable="NO"
natd_enable="YES"
natd_interface="fxp0"
natd_flags="-l -u -f /etc/natd.conf"
syslogd_flags="-s -l /var/chroot/named/dev/log"
syslogd_flags=""
named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-u bind -t /var/chroot/named -c /etc/namedb/named.conf"
ifconfig_fxp0="inet 200.x1.y1.z1 netmask 255.255.255.248"
ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0"
defaultrouter="200.x1.y1.z1"
hostname="myserver.mydomain.com.br"
firewall_type="/etc/ipfw.rules"
sysctl.conf
net.link.ether.ipfw=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
ipfw.rules
add 00200 allow all from any to any via lo0
add 000250 deny all from any to 127.0.0.0/8
add 000300 deny log all from 127.0.0.0/8 to any
add 000700 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80
add 000702 allow tcp from 192.168.1.0/24 to any 80 in via fxp1
add 000703 allow tcp from any 80 to 192.168.1.0/24 out via fxp1
add 000750 divert natd all from any to any via fxp0
add 000900 check-state
add 000950 allow layer2 not mac-type ip
add 001050 deny log all from any to any frag in via fxp0
add 001150 deny log icmp from any to any icmptypes 5 in via fxp0
add 001200 deny log ip from me to me in via fxp0
add 001250 deny log tcp from any to any setup in via fxp0
add 001300 deny log tcp from any to any 137,138,139 in via fxp0
add 001301 deny log udp from any to any 137,138,139 in via fxp0
add 001302 deny tcp from any to any 137,138,139 in via fxp1
add 001303 deny udp from any to any 137,138,139 in via fxp1
add 001400 deny log udp from any to 255.255.255.255 in via fxp0
add 001450 deny log udp from 0.0.0.0 to any in via fxp0
add 001500 deny log all from 192.168.100.1 to 224.0.0.1 in via fxp0
add 001550 deny log all from 192.168.0.0/16 to any via fxp0
add 001600 deny log all from any to 192.168.0.0/16 via fxp0
add 001650 deny log all from 172.16.0.0/12 to any via fxp0
add 001700 deny log all from any to 172.16.0.0/12 via fxp0
add 001750 deny log all from 10.0.0.0/8 to any via fxp0
add 001800 deny log all from any to 10.0.0.0/8 via fxp0
add 001900 allow udp from any 68 to any 67 in via fxp1
add 001950 allow udp from me 67 to any 68 out via fxp1
add 002100 allow udp from me to 192.168.1.2 53 out via fxp1 keep-state
add 002150 allow tcp from me to 192.168.1.2 53 out via fxp1 setup keep-state
add 002151 allow udp from me to 200.215.1.35 53 out via fxp0 keep-state
add 002152 allow tcp from me to 200.215.1.35 53 out via fxp0 setup
keep-state
add 002200 allow udp from me to 200.176.2.10 53 out via fxp0 keep-state
add 002201 allow tcp from me to 200.176.2.10 53 out via fxp0 setup
keep-state
add 002250 allow udp from me to 200.176.2.12 53 out via fxp0 keep-state
add 002251 allow tcp from me to 200.176.2.12 53 out via fxp0 setup
keep-state
add 002450 allow udp from 192.168.1.2 to 200.215.1.35 53 in via fxp1
keep-state
add 002450 allow tcp from 192.168.1.2 to 200.215.1.35 53 in via fxp1 setup
keep-state
add 002500 allow udp from 192.168.1.2 to 200.176.2.10 53 in via fxp1
keep-state
add 002501 allow tcp from 192.168.1.2 to 200.176.2.10 53 in via fxp1 setup
keep-state
add 002600 allow udp from 192.168.1.2 to 200.176.2.12 53 in via fxp1
keep-state
add 002601 allow tcp from 192.168.1.2 to 200.176.2.12 53 in via fxp1 setup
keep-state
add 002900 allow tcp from me to any 80,81 out via fxp0 setup keep-state
add 003050 allow tcp from me to any 443 out via fxp0 setup keep-state
add 003051 allow tcp from 192.168.1.0/24 to any 443 in via fxp1 setup
keep-state
add 003052 allow tcp from 192.168.1.0/24 to any 8088 in via fxp1 setup
keep-state
add 003100 allow tcp from any to any 443 in via fxp1 setup keep-state
add 003151 allow tcp from me to any 8088 out via fxp0 setup keep-state
add 003152 allow tcp from 192.168.1.0/24 to any 8088 in via fxp1 setup
keep-state
add 003200 allow tcp from me to any 25 out via fxp0 setup keep-state
add 003250 allow tcp from me to any 25 out via fxp1 setup keep-state
add 003300 allow tcp from 192.168.1.2 to any 25 in via fxp1 setup keep-state
add 003350 allow tcp from me to any 110 out via fxp0 setup keep-state
add 003351 allow tcp from 192.168.1.2 to any 110 out via fxp0 setup
keep-state
add 003400 allow tcp from 192.168.1.2 to any 110 in via fxp1 setup
keep-state
add 003450 allow tcp from me to any 143 out via fxp0 setup keep-state
add 003500 allow tcp from 192.168.1.2 to any 143 out via fxp0 setup
keep-state
add 003550 allow tcp from me to any 20-21 out via fxp0 setup keep-state
add 003551 allow tcp from me to any 1000-65000 out via fxp0 setup keep-state
add 003552 allow tcp from 192.168.1.2 to any 20-21 in via fxp1 setup
keep-state
add 003600 allow tcp from 192.168.1.2 to any 1000-65000 in via fxp1 setup
keep-state
add 003650 allow icmp from me to any icmptypes 3,8 out via fxp0 keep-state
add 003700 allow icmp from me to any icmptypes 3,8 out via fxp1 keep-state
add 003750 allow icmp from 192.168.1.0/24 to any icmptypes 3,8 out via fxp0
keep-state
add 003800 allow icmp from 192.168.1.0/24 to any icmptypes 3,8 in via fxp1
keep-state
add 003850 allow icmp from me to 192.168.1.0/24 icmptypes 0,3 out via fxp1
keep-state
add 004100 allow udp from me to any 33435-33500 out via fxp0 keep-state
add 004150 allow tcp from me to any 22 out via fxp0 setup keep-state
add 004300 allow tcp from 192.168.1.2 to me 22 in via fxp1 setup keep-state
add 004301 allow tcp from 192.168.1.90 to me 22 in via fxp1 setup keep-state
add 004302 allow tcp from 192.168.1.92 to me 22 in via fxp1 setup keep-state
add 004700 deny log icmp from any to any icmptypes 5 in via fxp0
add 004800 deny log icmp from any to me icmptypes 0,8 in via fxp0
add 004850 deny log tcp from any to any setup in via fxp0
add 004851 deny log tcp from any to any established in via fxp0
add 004900 deny log icmp from any to me icmptypes 0,8 in via fxp0
add 004950 deny log logamount 500 all from any to any
xmailx
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd