[FUGSPBR] [OFFTOPIC] PF - Solução

Jean Everson Martina everson em inf.ufsc.br
Sex Jul 18 00:03:43 BRT 2003 

Fui eu quem levantou a lebre disso na ultima vez e consegui fazer as coisas bem do jeito que eu queria, inclusive balancear o tráfego local, segue o meu pf.conf pra 4 Links.

O unico problema que eu enfrentyo hoje é o NAT de ftp, pois o ftp-proxy é uma porcaria.


Jean

#Configuracao de Balanceamento de Link
                                                                                   
# Definicoes de Variaveis
###############INICIO###########################
lan_net = "192.168.0.0/16"
prov_net = "200.180.124.0/25"
int_if  = "xl1"
ext_if1 = "tun0"
ext_if2 = "tun1"
ext_if3 = "tun2"
prov_if = "xl0"
ext_gw1 = "10.0.0.1"
ext_gw2 = "10.0.0.2"
ext_gw3 = "10.0.0.3"
prov_gw = "200.180.124.1"
my_ip = "200.180.124.9"
tuns_ifs = "{tun3, tun4, tun5, tun6, tun7, tun8, tun9, tun10, tun11, tun12, tun13, tun14, tun15, tun16, tun17, tun18, tun19, tun20}"
routed_ifs = "{ xl1, tun3, tun4, tun5, tun6, tun7, tun8, tun9, tun10, tun11, tun12, tun13, tun14, tun15, tun16, tun17, tun18, tun19, tun20}"
###############FIM##############################
                                                                                                                                                             
# Regras para deixar o pf ¨Mais Agressivo¨ :-) - Detalhes no man....
###############INICIO###########################
set timeout {tcp.first 60, tcp.opening 15, tcp.established 86400, tcp.closing 300, tcp.finwait 15, tcp.closed 15, udp.first 30, udp.single 15, udp.multiple 30, icmp.first 10, icmp.error 5, other.first 30, other.single 15, other.multiple 30, frag 30, interval 10}
set limit { states 50000, frags 25000 }
set optimization aggressive
###############FIM##############################
                                                                                                                                                             
# Regra que tratas os pcotes fragmentados
###############INICIO###########################
scrub in all fragment reassemble
scrub out all fragment reassemble
###############FIM##############################
                                                                                                                                                             
# Regra que faz o Proxy Transparente
###############INICIO###########################
#rdr on $int_if proto tcp from $lan_net to any port 80 -> 127.0.0.1 port 3128
#rdr on $int_if proto tcp from $lan_net to 200.180.124.2 port 3128 -> 127.0.0.1 port 3128
###############FIM##############################
                                                                                   
# Regra que tratas os problemas de conexção FTP - Tem que ativar tbm no Inetd
###############INICIO###########################
#rdr on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8081
###############FIM##############################

         
# Regras de NAT
###############INICIO###########################
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if3 from $lan_net to any -> ($ext_if3)
nat on $ext_if1 from $my_ip to any -> ($ext_if1)
nat on $ext_if2 from $my_ip to any -> ($ext_if2)
nat on $ext_if3 from $my_ip to any -> ($ext_if3)
nat on $prov_if from $lan_net to any -> ($prov_if)
###############FIM##############################
 
# Regras para liberar o trafego da rede interna
###############INICIO###########################
pass in from any to any
pass out from any to any
pass out on $int_if from any to $lan_net
pass in quick on $int_if from $lan_net to $int_if
###############FIM##############################
 
# Regras para desviar tráfegos roteados de
# portas específicas por um link específico
###############INICIO###########################
pass in quick on $routed_ifs route-to ($prov_if $prov_gw) proto tcp from $lan_net to any port {23,4000,5900,6660,6661,6662,6663,6664,6665,6666,6667,6669,7000,7001,7777,8002}
###############FIM##############################
 
# Regras para fazer o Load Balance do Tráfego Local do Proxy
###############INICIO###########################
pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 80
pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 443
#pass out quick route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto tcp from $my_ip to !$prov_net port 21
###############FIM##############################
 
# Regras para fazer o Load Balance do Tráfego roteado
###############INICIO###########################
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto tcp from $lan_net to !$prov_net flags S/SA modulate state
pass in on $routed_ifs route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) } round-robin proto { udp, icmp } from $lan_net to !$prov_net keep state
###############FIM##############################
 
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state
pass out on $prov_if proto tcp from any to any flags S/SA modulate state
pass out on $prov_if proto { udp, icmp } from any to any keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if1 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($prov_if $prov_gw) from $prov_if to any
pass out on $prov_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $prov_if route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $prov_if route-to ($ext_if3 $ext_gw3) from $ext_if3 to any


On Thu, 17 Jul 2003 21:18:12 -0300
"Giovanni P. Tirloni" <gpt em tirloni.org> wrote:

> * Emanoel (emanoel em wildcom.com.br) wrote:
> > Giovanni,
> > 
> > Fiz um teste com as configurações que você me passou e infelizmente continua
> > não funcionando.... :-(
> 
>  Deve ser por causa do "on $int_if" na regra do route-to. Ele tá
>  dizendo que é tudo que vier da interface interna. Tente tirar
>  essa parte da regra ou adicione para as outras interfaces. Deve
>  funcionar :)
> 
> > pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
> > round-robin proto tcp from any to any flags S/SA modulate state
> > 
> > pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
> > round-robin proto { udp, icmp } from any to any keep state
> 
>  Espero ter ajudado.
> 
>  --
>  Giovanni P. Tirloni
>  http://www.tirloni.org
> _______________________________________________________________
> Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/


_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd