[FUG-BR] PF

Oliver Thies Paulini oliver_thies em hotmail.com
Terça Outubro 30 14:48:46 BRST 2007 

Claro,
Já havia enviado antes, mas segue abaixo...
Está meio zoneado pois estou constantemente fazendo testes..

Em Ter, 2007-10-30 às 

################################################## #############
# PLACAS DE REDE
################################################## #############
ext_if="bge0"
int_if="bge1"
ip_rede="10.10.1.0/24"
table <adserver>  { 10.10.1.6,10.10.1.7 }
PING = "echoreq"
TCP_IN = "{ 53, 22, 80, ssh, ftp, 20, 21 ,3000}"
UDP_IN = "{ 53, 67, 80, 20, 21,3000 }"

TCP_OUT = "{ 53, 22, 80, 20, 21, ftp, http }"
UDP_OUT = "{ 53, 80, 20, 21, domain }"

################################################## #############
# NORMALIZANDO OS PACOTES
################################################## #############
set timeout { tcp.first 60 tcp.opening 15 tcp.established 86400 \
tcp.closing 300 tcp.finwait 15 tcp.closed 15 }
set timeout { udp.first 30 udp.single 15 udp.multiple 30 }
set timeout { icmp.first 10 icmp.error 5 }
set timeout { other.first 30 other.single 15 other.multiple 30 }
set timeout { frag 30 interval 10 }
set limit { states 50000 frags 25000 }
set optimization aggressive
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set require-order yes
scrub all fragment reassemble random-id no-df
################################################## #############
# FAZENDO NAT
################################################## #############
nat on $ext_if from $ip_rede to any -> ($ext_if)
################################################## #############
# REDIRECIONAMENTO
################################################## #############
#modulate state (src.track 10)
rdr on $int_if proto tcp from $ip_rede to any port ftp -> 127.0.0.1 port
8021
#rdr on $ext_if proto tcp from any to 200.xx.xx.70 port www ->
{ <adserver> } round-robin sticky-address
#quando um dos servidores cair, habilitar essa regra e desabilitar a de
cima
rdr on $ext_if proto tcp from any to 200.xx.xx.70 port www -> 10.10.1.6
#
rdr on $ext_if proto tcp from any to 200.xx.xx.70 port 2206 -> 10.10.1.6
port 22
rdr on $ext_if proto tcp from any to 200.xx.xx.70 port 2207 -> 10.10.1.7
port 22
rdr on $ext_if proto tcp from any to 200.xx.xx.70 port 2208 -> 10.10.1.5
port 2201

###############################################################
# blockeando tudo por default
#block in log on $int_if all
#block out log on $int_if all

# bloqueando spoof
antispoof for { $ext_if } inet

# bloqueando scanners
block drop in quick on { $ext_if } from any os { NMAP }

# bloqueando trafego ipv6
block log quick inet6

#Liberando loopback
pass quick on lo0 all

# liberando ping/traceroute
pass out log on $ext_if inet proto icmp all icmp-type 8 code 0 keep
state
pass in log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# Liberando portas
#INCOMING
#TCP
pass in quick on $ext_if inet proto tcp from any to $ext_if port $TCP_IN
\
flags S/SA keep state
#UDP
#pass in quick on $ext_if inet proto udp from any to $ext_if port
$UDP_IN \
keep state
#PING
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type
$PING \
keep state

pass in on $ext_if inet proto { tcp udp } from any to any port 22
pass in on $ext_if inet proto { tcp udp } from any to any port 21
pass in on $ext_if inet proto { tcp udp } from any to any port 20
pass in on $ext_if inet proto { tcp udp } from any to any port 25
pass in on $ext_if inet proto { tcp udp } from any to any port 53
pass in on $ext_if inet proto { tcp udp } from any to any port 80
pass in on $ext_if inet proto { tcp udp } from any to any port 443
pass in on $ext_if inet proto { tcp udp } from any to any port 110
pass in on $ext_if inet proto { tcp udp } from any to any port 8080
pass in on $ext_if inet proto { tcp udp } from any to any port 6667
pass in on $ext_if inet proto { tcp udp } from any to any port 6891
pass in on $ext_if inet proto { tcp udp } from any to any port 6893
pass in on $ext_if inet proto { tcp udp } from any to any port 6900
pass in on $ext_if inet proto { tcp udp } from any to any port 1213
pass in on $ext_if inet proto { tcp udp } from any to any port 1214
pass in on $ext_if inet proto { tcp udp } from any to any port 1832
pass in on $ext_if inet proto { tcp udp } from any to any port 3094
pass in on $ext_if inet proto { tcp udp } from any to any port 3622
pass in on $ext_if inet proto { tcp udp } from any to any port 2216
pass in on $ext_if inet proto tcp from port 20 to $ext_if \
user proxy flags S/SA keep state
#OUTGOING
#EXTERNAL INTERFACE

#TCP
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$TCP_OUT \
flags S/SA keep state

#UDP
pass out quick on $ext_if inet proto udp from $ext_if to any port
$UDP_OUT \
keep state

#ICMP
pass out quick on $ext_if inet proto icmp from $ext_if to any icmp-type
$PING \
keep state

# Liberando acesso
pass out log on $int_if from any to $ip_rede
pass in log on $int_if from $ip_rede to any


13:34 -0200, c0re dumped escreveu:

> Vc pode enviar as confs do PF do jeito que roda quando os serviços
> ficam lentos ?
> 
> []'s
>

Mais detalhes sobre a lista de discussão freebsd