[FUGSPBR] NAT com PF no OpenBSD

Moacyr Francischetti Corrêa moacyr em spacnet.com.br
Sex Nov 19 14:37:19 BRST 2004 

Pessoal,

	Ontem coloquei pra funcionar um NAT com OpenBSD mas estou com um
problema que não consigo resolver.
	Tenho 2 máquinas idênticas, inclusive com as mesmas placas de rede
(dc0 e dc1). Uma roda FreeBSD e outra roda OpenBSD. Copiei as regras do PF
do Free (que está funcionando) para o Open e... surpresa... não funciona.
	Executei um tcpdump -i dc0 (placa externa) e percebi que os pacotes
que chegam na dc1 (placa interna) estão passando para a dc0 sem NATear. Por
exemplo: se eu pingo da minha máquina (10.10.1.253) para qualquer máquina na
internet, na dc0 aparece

	16:15:53.775000 10.10.1.253 > hugo.uol.com.br: icmp: echo request

Segui os passos descritos para instalação e configuração do PF (configurando
rc.conf, rc.conf.local, sysctl.conf, pf.conf, Kernel, etc....).

	Alguém sabe o que pode estar acontecendo? Abaixo está o meu pf.conf,
caso alguém se interesse em ver.

Moacyr

-------------- início pf.conf -----------
# macros
ext_if = "dc0"
int_if = "dc1"
ext_ip = "{ 200.201.202.7, 200.201.202.8 }"
int_ip = "10.10.1.35"
ext_moa = "200.201.202.8"
int_moa = "10.10.1.253"
int_net = "10.10.1.0/24"
tcp_services = "{ 22, 113 }"
tcp_svcs = "{ 22, 25, 53, 80, 110, 443, 465, 995, > 1024 }"
icmp_types = "echoreq"
priv_nets = "{
	0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
	169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
	224.0.0.0/3, 255.255.255.255	} "
unfiltered="{ lo0 }"
   
## OPTIONS - network settings
# use 'return' instead of 'drop' if you wish to return responses to
connection
# attempts, 'drop' is the same as the 'blackhole' sysctl option
set timeout { frag 15, interval 5 }
set limit { frags 2500, states 5000 }
set optimization high-latency
set block-policy return

## NORMALIZATION - Scrubbing will automatically drop TCP packets that have 
invalid flag combinations, so there's no need for typical 'anti-portscan'
scrub in on $ext_if
scrub out on $ext_if no-df random-id min-ttl 24 max-mss 1492

# nat
no nat on $unfiltered
no rdr on $unfiltered
nat on $ext_if from $int_net to any -> $ext_moa

# Proxy FTP
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# Squid
no rdr on $int_if proto tcp from 127.0.0.1 to any port 80
no rdr on $int_if proto tcp from $int_ip to any port 80
no rdr on $int_if proto tcp from $ext_ip to any port 80
rdr on $int_if proto tcp from $int_moa to any port 80 -> $ext_moa port 3128
rdr on $int_if proto tcp from $int_net to any port 80 -> 127.0.0.1 port 3128

# filter rules
pass quick on lo0 all
block log all

# antispoof _has_ to be preceeded with pass in quick on lo0 all.
pass in quick on lo0  all
antispoof for { lo0, $int_if, $ext_if }
  
pass out log quick on $ext_if proto tcp from $ext_ip to any port 80
pass in  log quick on $ext_if proto tcp from any port 80 to $ext_ip

# Allow pings and replies while keeping state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state

# Keep state on all outgoing UDP and allow DNS replies
pass out on $ext_if inet proto udp keep state
pass in quick inet proto udp from any to $ext_if port 53 keep state

# Modulate state on all outgoing TCP and keep state on allowed incoming TCP 
Ports
pass out log on $ext_if inet proto tcp from $ext_if to any flags S/SA
modulate state
pass in  log on $ext_if inet proto tcp from any to $ext_if port $tcp_svcs
flags S/SA keep state

# OS detection, yummy :)
block drop in quick on $ext_if from any os { Windows, SCO, NMAP }
# Squid
pass in log quick on $ext_if inet proto tcp from any port 80 to $ext_ip 
flags S/SA
pass out log quick on $ext_if inet proto tcp from $ext_ip to any port 80 
flags S/SA

# Proxy FTP
block in log on $ext_if proto tcp from any to any port 8081
FTPPORTS="{ 55000 >< 57000 }"   # Range de portas usadas pelo FTP ativo
pass in quick on $ext_if proto tcp from any port 20 to $ext_if port
$FTPPORTS flags S/SA keep state

# SSH
pass in on $int_if inet proto tcp from any to $int_ip port 22 flags S/SA
keep state
pass out on $ext_if inet proto tcp from $int_ip to any port 22 keep state
pass in on $int_if inet proto tcp from any to $int_ip flags S/SA keep state

# mx1
pass in  quick on $int_if proto { tcp, udp} from any to 200.162.174.18 keep
state
pass out quick on $int_if proto { tcp, udp} from 200.162.174.18 to any keep
state

pass in  log quick on $int_if proto { tcp, udp} from $int_moa to any port 80
keep state queue (q_moacyr_http)
pass out log quick on $int_if proto { tcp, udp} from any port 80 to $int_moa
keep state queue (q_moacyr_http)
pass in  log quick on $int_if proto { tcp, udp} from $int_moa to any keep
state queue (q_moacyr_outros)
pass out log quick on $int_if proto { tcp, udp} from any to $int_moa keep
state queue (q_moacyr_outros)

pass in  on $int_if from $int_net to any keep state
pass out on $int_if from any to $int_net keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

-------------- fim pf.conf -----------


_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd