[FUG-BR] Regras do PF não carregam no boot
Marcos Vinicius Buzo
annihil4tor em gmail.com
Quinta Julho 26 16:31:01 BRT 2007
Boa tarde pessoal, td blz ?
Estou com um problema com o pf, com certeza fiz algo de errado, mas
não consigo encontrar meu erro. As regras do pf não estão carregando
no boot, só carregam se eu der um pfctl -f /etc/pf.conf ou
/etc/rc.d/pf start
Aqui estão minhas linhas do arquivo /etc/rc.conf referentes ao pf:
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
Aqui está meu pf.conf:
############## MACROS ############################
##################################################
#Interface WAN
ext_if = "rl0"
ext_ip = "200.xxx.xxx.106"
#Interface LAN
int_if = "sk0"
int_ip = "10.xxx.xxx.31"
int_net = "10.xxx.xxx.0/24"
#Interface LAN - VOIP
voip_if = "rl1"
voip_ip = "192.xxx.xxx.254"
voip_net = "192.xxx.xxx.0/24"
#Computadores da Rede
dataserver_ip = "10.xxx.xxx.100"
ata_ip = "192.xxx.xxx.2"
#Ips
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#Portas
ssh_intport = "2222"
ssh_extport = "110"
##################################################
set loginterface $ext_if
############## NORMALIZACAO DE PACOTES ###########
##################################################
scrub in all
##################################################
############## ALTQ #############################
#################################################
altq on $ext_if hfsc bandwidth 100% queue ext_up
queue ext_up bandwidth 300Kb {out_voip, out_ssh, out_email, out_others}
queue out_voip bandwidth 50% hfsc(realtime 128Kb)
queue out_ssh bandwidth 15% hfsc(realtime 32Kb)
queue out_email bandwidth 10% hfsc(upperlimit 128Kb)
queue out_others bandwidth 25% hfsc(default)
############## NAT ###########################
##############################################
#NAT - LAN -> WAN
nat on $ext_if from $int_net to any -> ($ext_if)
#NAT - LAN -> VOIP
nat on $ext_if from $voip_net to any -> ($ext_if)
##############################################
############ RDR #############################
##############################################
#RDR - FTP Rede Interna -> FTP-proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port 778 -> 127.0.0.1 port 8021
#RDR - FTP p/ Atualizacoes
#rdr on $ext_if proto tcp from any to $ext_ip port 15000 ->
$dataserver_ip port 21
#RDR - VPN dataserver
rdr on $ext_if proto tcp from any to $ext_ip port 1194 -> $dataserver_ip
#RDR - ATA/Configuracao/Temporario
rdr on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 5555 ->
$ata_ip port 80
##################################################
############## FILTROS ###########################
##################################################
#BLOQUEIA TRAFEGO EM TODAS INTERFACES
block all
#LIBERA LOOPBACK
pass quick on lo0 all keep state
#LIBERA SAIDA EM TODAS INTERFACES E MARCA ESTADO DE CONEXAO
pass out all keep state
#SERVICO - SSH - WAN/LAN
pass in on $ext_if proto tcp from any to $ext_ip port $ssh_extport
keep state queue out_ssh
pass in on $int_if proto tcp from $int_net to $int_ip port
$ssh_intport keep state
#SERVICO - NTOP - LAN/WAN(IP PRIVADO)
pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 3000
keep state
pass in on $int_if proto tcp from $int_net to $int_ip port 3000 keep state
# pass incoming ports for ftp-proxy
pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
pass in on $int_if inet proto tcp from any to any user proxy keep state
#SERVICO - OpenVPN - WAN -> dataserver
pass in on $ext_if proto tcp from any to $dataserver_ip port 1194 keep state
#LIBERA TUDO p/ REDE VOIP
pass in on $voip_if from $voip_net to any keep state queue out_voip
pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ata_ip port 80 keep state
#LIBERA TUDO p/ DIRETOR
pass in on $int_if from 10.xxx.xxx.99 to any keep state
#LIBERA VONO p/ REDE INTERNA
pass in on $int_if from $int_net to 201.xxx.xxx.5 keep state queue out_voip
#LIBERA RSYNC p/ Servidor de dados
pass in on $int_if proto {tcp,udp} from $dataserver_ip to any port 873
keep state
#LIBERA ICMP p/ REDE INTERNA
pass in on $int_if proto icmp from $int_net to any keep state
#LIBERA FTP p/ REDE INTERNA
pass in on $int_if proto tcp from $int_net to 127.0.0.1 port 8021 keep state
pass in on $int_if proto tcp from $int_net to any port 21 keep state
pass in on $ext_if proto tcp from any to any port ftp-data user proxy keep state
#LIBERA SISTEMAS p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port {778,
779, 4606, 3007, 8017} keep state
pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
#LIBERA CAT p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port 5017 keep state
#LIBERA NTP p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port {123,
563} keep state
#LIBERA DNS p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port 53 keep state
#LIBERA EMAIL p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port 25 keep
state queue out_email
pass in on $int_if proto {tcp,udp} from $int_net to any port 110 keep state
#LIBERA MSN p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port 1863 keep state
#LIBERA HTTP p/ REDE INTERNA
pass in on $int_if proto {tcp,udp} from $int_net to any port {80,443} keep state
#LIBERA RECEITANET p/ REDE INTERNA
pass in on $int_if proto tcp from $int_net to any port 3456 keep state
#LIBERA CONECTIVIDADE SOCIAL p/ REDE INTERNA
pass in on $int_if proto tcp from $int_net to any port 2631 keep state
#LIBERA IP Sistema do diretor
pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
#BLOQUEIA IPS PRIVADOS NA INTERFACE EXTERNA
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
Qualquer ajuda será bem-vinda.
Obrigado.
Mais detalhes sobre a lista de discussão freebsd