[FUG-BR] parece que o pf nao le as regras!

Cleyton Bertolim cbertolim em gmail.com
Quarta Julho 25 14:45:06 BRT 2007 

Estou enviando o meu PF.CONF para que voces possam ter mais detalhes
da configuracao que tenho aqui.

segue:


##### INICIO DO ARQUIVO #######################

############################################################
### Macros #################################################
############################################################
internal = "vr0"
wts_vpn = "rl0"
external = "rl1"
mpd = "ng0"

local_net = "192.168.247.0/24"
ip_fw_internal = "192.168.247.254"
ip_fw_external = "10.1.1.2"
ip_fw_wts_vpn = "202.4.143.40"

nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \
172.16.0.0/12, 0.0.0.0/8, 169.254.0.0/16, \
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \
255.255.255.255/32 }"

table <caixa_ips> { 200.201.173.68 200.201.173.68/32 \
200.201.166.200 200.201.166.200/32 200.201.174.207 \
200.201.174.207/32 200.252.47.0/24 200.201.160.0/20 \
200.201.0.0/16 200.165.60.137/32 200.242.61.4 \
200.201.173.0/32 }


#--- LOG de estatisticas de filtragem ------------------####
set block-policy drop
set loginterface $external
set loginterface $wts_vpn
set state-policy if-bound


#--- Nao filtra na interface loopback e NG0 ------------####
set skip on lo0
set skip on $mpd


#--- faz scrub em pacotes que chegam -------------------####
scrub on { $external $internal $wts_vpn } all reassemble tcp



############################################################
### NAT dos enderecos IP internos do range               ###
### 192.168.247.0/24 para o endereco IP roteavel/valido  ###
### da interface rl0                                     ###
############################################################
nat pass on $external from $local_net to any -> $external
nat pass on $wts_vpn from $local_net to any -> $wts_vpn


############################################################
### Proxy transparente #####################################
############################################################
rdr pass on $internal inet proto tcp from $local_net to any port 3389
-> $ip_fw_wts_vpn

rdr pass on $internal inet proto tcp from $local_net to !<caixa_ips>
port 80 -> $ip_fw_internal port 3128


############################################################
### Filtragem de pacotes ###################################
############################################################
block all
antispoof quick for { $internal $external $wts_vpn } inet


#--- Loopback @ 127.0.0.1/8 ----------------------------####
pass out quick on lo0 all
pass in quick on lo0 all


#--- NG0 @ 192.168.247.1/24 ----------------------------####
pass out quick on $mpd all modulate state
pass in quick on $mpd all modulate state


#--- Rede Local @ 192.168.247.254/24 -------------------####
pass out quick on $internal all modulate state
pass in quick on $internal all modulate state
pass in quick on $internal inet proto icmp all modulate state


#--- Link BrT/WTS_VPN @ 202.4.143.40/29 ----------------####
block drop out log quick on $wts_vpn from any to $nonroutable
pass out quick on $wts_vpn from any to any modulate state

pass in log quick on $wts_vpn inet proto tcp from 202.37.33.54 to
$ip_fw_wts_vpn port 1723 flags S/SA synproxy state
pass in log quick on $wts_vpn inet proto tcp from any to
$ip_fw_wts_vpn port 50000 flags S/SA synproxy state

block drop in log quick on $wts_vpn inet proto tcp from any to any flags FUP/FUP
block drop in log quick on $wts_vpn inet proto tcp from any to any flags SF/SFRA
block drop in log quick on $wts_vpn inet proto tcp from any to any flags /SFRA
block drop in quick on $wts_vpn proto tcp from any to any port = 113
block drop in log quick on $wts_vpn inet proto icmp from any to any
icmp-type redir
block drop in log quick on $wts_vpn from $nonroutable to any
block drop in log quick on $wts_vpn all
block return


#--- Link BrT/ADSL @ 10.1.1.2/8 -------------------------####
block drop out log quick on $external from any to $nonroutable
pass out quick on $external from any to any modulate state

pass in log quick on $external inet proto tcp from any to
$ip_fw_external port 50000 flags S/SA synproxy state

block drop in log quick on $external inet proto tcp from any to any
flags FUP/FUP
block drop in log quick on $external inet proto tcp from any to any
flags SF/SFRA
block drop in log quick on $external inet proto tcp from any to any flags /SFRA
block drop in quick on $external proto tcp from any to any port = 113
block drop in log quick on $external inet proto icmp from any to any
icmp-type redir
block drop in log quick on $external from $nonroutable to any
block drop in log quick on $external all
block return

#### FINAL DO ARQUIVO #############





Em 25/07/07, Welkson Renny de Medeiros<welkson em focusautomacao.com.br> escreveu:
> Cleyton, é um belo chute... mas lá vai... comigo também aconteceu isso... se
> não me engano foi até o "irado" me deu umas dicas e consegui resolver... nas
> minhas regras tinha referência a alguns "domínios", e como o bsd ainda
> estava startando não conseguia resolver o domínio e não carregava nada...
> (tipo: block in on $int_if from any to globo.com)... não sei se o mesmo erro
> serve para nomes de pcs cadastrados no arquivo /etc/hosts... só sugestão! no
> flames!! :-)
>
>
> --
> Welkson Renny de Medeiros
> Focus Automação Comercial
> Desenvolvimento / Gerência de Redes
> welkson em focusautomacao.com.br
>
>
>
>                      Powered by ....
>
>                                           (__)
>                                        \\\'',)
>                                          \/  \ ^
>                                          .\._/_)
>
>                                      www.FreeBSD.org
>
> ----- Original Message -----
> From: "Cleyton Bertolim" <cbertolim em gmail.com>
> To: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"
> <freebsd em fug.com.br>
> Sent: Wednesday, July 25, 2007 2:29 PM
> Subject: [FUG-BR] parece que o pf nao le as regras!
>
>
> Boa tarde BSD's!!!!!
>
> Seguinte, tenho um servidor com FreeBSD-6.2-Stable, rodando o MPD como
> servidor de VPN na porta 1723, e com PF como firewall. As regras do pf
> estao funcionando perfeitamente!
>
> Quando ligo este servidor, ele carrega a VPN, o PF inicia sem nenhuma
> mensagem de erro, eu me conecto ao servidor de VPN remotamente, mas
> quando dou um PING do meu micro pra dentro da rede VPN, nao consigo
> resposta alguma, e tambem quando tento acessar algum compartilhamento
> pela VPN, tambem nao da. É como se a rede estivesse desconectada!!!
> Mas, se entro no servidor de VPN por SSH e digito: pfctl -f
> /etc/pf.conf, ele comeca a funcionar tudo normalmente..... consigo
> pingar as maquinas dentro da VPN e tambem acessar seus
> compartilhamentos!!!!
>
> Parece que so funciona as coisas depois de executar o comando pfctl -f
> /etc/pf.conf !!!!!
>
> Como dentro do arquivo /etc/rc.conf tem as instrucoes pra iniciar o pf
> e tambem o arquivo de regras pf.conf, ele esta lendo as regras, mas
> nesse caso da VPN, parece que mesmo com a vpn conectada, tenho que dar
> o comando pra reler as regras do PF.
>
> Alguem ja passou por isso??
> O que fazer??
>
> Desde ja meus agradecimentos!
>
> Cleyton Bertolim.
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>

Mais detalhes sobre a lista de discussão freebsd