[FUGSPBR] Apanhando do IPFW + NATD
Vitor de Matos Carvalho
listas em softinfo.com.br
Dom Jul 13 19:37:17 BRT 2003
Marcio,
3 interfaces. Cada uma para uma rede. Sendo que a terceira eh para a rede de ip válida.
Regards,
---------------------------------------------------
Vitor de Matos Carvalho - #5602098
Softinfo Network Administrator
+55 (71)9971-5011 / +55 (71)9986-9317
Salvador - Bahia - Brazil
FreeBSD: The silent Workhorse
----- Original Message -----
From: "Márcio Luciano Donada" <marcio em sl.unochapeco.rct-sc.br>
To: "Grupo Brasileiro de Usuarios FreeBSD" <fugspbr em fugspbr.org>
Sent: Sunday, July 13, 2003 6:58 PM
Subject: Re: [FUGSPBR] Apanhando do IPFW + NATD
>
>
> Olá Vitor,
> Nunca fiz isso, mas como vou ter que fazer daqui mais alguns dias, vamos por
> partes, bom quantas interfaces de rede você tem?
>
>
> Pessoal,
>
> Estou aqui apanhando do ipfw + natd.
>
> Estou com duas redes aqui:
> 10.1.0.0/16
> 10.2.0.0/16
>
> Eu preciso fazer o NAT apendas de uma rede, que é a rede 10.2.0.0/16. Para a
> rede 10.1.0.0/16 não é preciso, pois o acesso dela será apenas via proxy
> transparente, pelo squid.
> Só que eu não estou conseguindo fazer isso funcionar.
>
> As duas redes 10.1.0.0/16 10.2.0.0/16 (apersar de fazer nat para elas) terão
> que passar pelo proxy transparente.
>
>
> Abaixo segue as minhas confs:
>
> kernel:
>
> #####################################################################
> # NETWORKING OPTIONS
> #
> # Protocol families:
> # Only the INET (Internet) family is officially supported in FreeBSD.
> # Source code for the NS (Xerox Network Service) is provided for amusement
> # value.
> #
> options INET # Internet communications protocols
> options IPDIVERT # divert sockets
> options IPFIREWALL # firewall
> options IPFIREWALL_FORWARD # enable transparent proxy support
> options IPFIREWALL_VERBOSE # print information about dropped
> packets
> options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> options IPFILTER # ipfilter support
> options IPFILTER_LOG # ipfilter logging
> options TCPDEBUG
>
> #
> # ICMP_BANDLIM enables icmp error response bandwidth limiting. You
> # typically want this option as it will help protect the machine from
> # D.O.S. packet attacks.
> #
> options ICMP_BANDLIM
> options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
>
> Abaixo segue o /etc/rc.conf
>
> firewall_enable="YES" # Set to YES to enable firewall
> functionality
> firewall_script="/etc/rc.firewall" # Which script to run to set up the
> firewall
> firewall_type="simple" # Firewall type (see
> /etc/rc.firewall)
> firewall_quiet="YES" # Set to YES to suppress rule
> display
> natd_program="/sbin/natd" # path to natd, if you want a
> different one.
> natd_enable="YES" # Enable natd (if firewall_enable ==
> YES).
> natd_interface="tun0" # Public interface or IPaddress to
> use.
> natd_flags="-f /etc/natd.conf" # Additional flags for natd.
>
> /etc/natd.conf
>
> interface tun0
> dynamic yes
> same_ports yes
> use_sockets yes
>
> Agora vamos la com o /etc/rc.firewall
>
> ${fwcmd} add pass all from any to any via lo0
> ${fwcmd} add deny all from any to 127.0.0.0/8
> ${fwcmd} add deny ip from 127.0.0.0/8 to any
>
> # NATD
> ${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}
> ${fwcmd} add 50 divert natd all from ${nadm} to any via ${myif}
>
> # Proxy transparente
> ${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nadm} to any 80,81,8080
> ${fwcmd} add 51 fwd 127.0.0.1,3128 tcp from ${nacad} to any 80,81,8080
>
> # Bloqueia a comunicacao entre as redes ACAD e ADM
> ${fwcmd} add 90 reset from ${acad} to ${adm}
> ${fwcmd} add 90 reset from ${adm} to ${acad}
>
> # Stop RFC1918 nets on the outside interface
> # Comentado porque eh minha rede privada
> ${fwcmd} add deny all from any to 10.0.0.0/8 via ${myif}
> ${fwcmd} add deny all from any to 172.16.0.0/12 via ${myif}
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${myif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from any to 0.0.0.0/8 via ${myif}
> ${fwcmd} add deny all from any to 169.254.0.0/16 via ${myif}
> ${fwcmd} add deny all from any to 192.0.2.0/24 via ${myif}
> ${fwcmd} add deny all from any to 224.0.0.0/4 via ${myif}
> ${fwcmd} add deny all from any to 240.0.0.0/4 via ${myif}
>
> # Stop RFC1918 nets on the outside interface
> # Comentado porque eh minha rede privada
> #${fwcmd} add deny all from 10.0.0.0/8 to any via ${myif}
> ${fwcmd} add deny all from 172.16.0.0/12 to any via ${myif}
> ${fwcmd} add deny all from 192.168.0.0/16 to any via ${myif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ${fwcmd} add deny all from 0.0.0.0/8 to any via ${myif}
> ${fwcmd} add deny all from 169.254.0.0/16 to any via ${myif}
> ${fwcmd} add deny all from 192.0.2.0/24 to any via ${myif}
> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${myif}
> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${myif}
>
> # Nega pacotes fragmentados
> ${fwcmd} add deny all from any to any frag
>
> # check state
> ${fwcmd} add check-state
>
> # FTP para o mundo
> ${fwcmd} add pass tcp from ${myip} to any 21 keep-state
> ${fwcmd} add pass tcp from ${nacad} to any 21 keep-state
> ${fwcmd} add pass tcp from ${nadm} to any 21 keep-state
>
> # SSH
> ${fwcmd} add pass tcp from ${nacad} to ${ipacad} 22 keep-state
> ${fwcmd} add pass tcp from ${nadm} to ${ipadm} 22 keep-state
>
> # My DNS-Server
> ${fwcmd} add pass udp from ${myip} to ${mydns} 53 keep-state
> ${fwcmd} add pass udp from ${mydns} 53 to ${myip} keep-state
> ${fwcmd} add pass udp from ${acad} 53 to ${mydns} keep-state
> ${fwcmd} add pass udp from ${adm} 53 to ${mydns} keep-state
>
> # HTTP para o servidor
> ${fwcmd} add pass tcp from any to ${myip} 80 keep-state
> # HTTPS para o mundo
> ${fwcmd} add pass tcp from ${myip} to any 443 keep-state
> ${fwcmd} add pass tcp from ${nacad} to any 443 keep-state
> ${fwcmd} add pass tcp from ${nadm} to any 443 keep-state
>
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from ${myip} to any 123 out via {myif} keep-state
>
> # Cvsup
> ${fwcmd} add pass tcp from ${myip} to any 5999 via ${myif} keep-state
>
> # Libera tudo das rede ADM e MYIP para o mundo
> ${fwcmd} add 95 pass from ${myip} to any keep-state
> ${fwcmd} add 95 pass from ${adm} to any keep-state
>
> # PROXY
> ${fwcmd} add reset tcp from any to {myip} 3128
>
> # ICMP IN and OUT
> ${fwcmd} add pass icmp from ${myip} to any icmptypes 8 keep-state
> ${fwcmd} add pass icmp from $(nacad} to ${ipcad} icmptypes 8 keep-state
> ${fwcmd} add pass icmp from $(nadm} to ${ipadm} icmptypes 8 keep-state
> ${fwcmd} add reset icmp from any to ${myip} icmptypes
> 5,8,9,10,12,13,14,15,16,17,18
>
> # Rejeitar broadcasts from outside interface
> ${fwcmd} add reset ip from any to 0.0.0.255:0.0.0.255 in via ${myif}
>
> # Define o firewall como closed e faz o log de tudo que eh negado
> ${fwcmd} add 65534 deny log ip from any to any via tun0
>
> myip = meu ip real
> nacad = rede acad
> nadm = rede adm
> ipacad = ip rede acad
> ipadm = ip rede adm
> if acad = interface da placa de rede da rede acad
> if adm = interface da placa de rede da rede adm
>
> O que está de errado nessas minhas regras?
>
>
> Regards,
>
> ---------------------------------------------------
> Vitor de Matos Carvalho - #5602098
> Softinfo Network Administrator
> +55 (71)9971-5011 / +55 (71)9986-9317
> Salvador - Bahia - Brazil
> FreeBSD: The silent Workhorse
>
> _______________________________________________________________
> Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>
>
> _______________________________________________________________
> Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>
>
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd