[FUG-BR] ajuda com FIB´s + PF
Cleyton Bertolim
cbertolim em gmail.com
Quinta Novembro 12 17:35:34 BRST 2009
Pessoal, estou quebrando a cabeca aqui com FIB´s.....
Tenho dois link´s internet, um GVT e outro VIRTUA, e estou tentando
fazer funcionar a rota para os dois link´s com FIB mas nao esta dando
certo. Nao sei onde estou errando... Ja procurei um monte na net
tambem e nada....
As maquinas da rede, quando saem pelo squid para a internet, saem
todas usando o gateway 10.0.0.1, que é o GVT, e quando eu desligo esse
link cai tudo, as maquinas nao saem pelo link da Net Virtua, que é o
gateway 172.16.0.1.
Se alguem puder dar uma luz....indicar onde estou errando.... eu agradeco!!!!
Olhem só meus arquivos de configuracao:
===========================================================================================
[firewall] # more loader.conf
net.fibs="6"
===========================================================================================
[firewall] # more pf.conf
############################################################
### Macros #################################################
############################################################
external_virtua = "re0"
external_gvt = "re1"
internal = "rl0"
gw_virtua = "172.16.0.1"
gw_gvt = "10.0.0.1"
external_net_virtua = "172.16.0.0/16"
external_net_gvt = "10.0.0.0/8"
internal_net = "192.168.252.0/24"
ip_fw_internal = "192.168.252.254"
table <ips_ext_sem_filtragem> { 200.201.173.68 200.201.173.68/32 \
200.201.166.200 200.201.166.200/32 200.201.174.207 200.160.243.99
200.230.161.110 \
200.201.174.207/32 200.252.47.0/24 200.201.160.0/20 \
200.201.0.0/16 200.165.60.137/32 200.242.61.4 200.181.70.133 \
200.201.173.0/32 200.201.174.0/24 200.208.15.135 200.99.6.65 \
200.208.16.135 161.148.231.100 200.208.15.105 200.99.6.66 \
200.155.84.15 200.155.88.15 200.208.16.105 200.238.107.164 \
200.201.174.204 200.201.174.0/32 201.18.55.22 200.241.224.136 \
200.185.17.235 63.241.251.9 63.241.251.18 200.211.99.136 \
200.229.201.210 200.174.44.22 200.196.152.72 69.17.117.207 161.148.231.100 }
#--- LOG de estatisticas de filtragem ------------------####
set block-policy drop
set state-policy if-bound
set loginterface $external_virtua
set loginterface $external_gvt
#--- Nao filtra na interface loopback ------------------####
set skip on lo
#--- faz scrub em pacotes que chegam -------------------####
scrub on { $external_virtua $external_gvt $internal } all reassemble tcp
############################################################
### NAT dos IP's interno do range 192.168.252.0/24 ###
### para o endereco IP valido da interface $external ###
############################################################
nat pass on $external_virtua from $internal_net to any -> ($external_virtua)
nat pass on $external_gvt from $internal_net to any -> ($external_gvt)
############################################################
### Proxy transparente #####################################
############################################################
rdr pass on $internal inet proto tcp from $internal_net to
!<ips_ext_sem_filtragem> port 80 -> $ip_fw_internal port 3128
############################################################
### Filtragem de pacotes ###################################
############################################################
block log all
antispoof quick for { $external_virtua $external_gvt $internal } inet
#--- Link Virtua @ 172.16.0.2/16 --------------------------####
pass out quick on $external_virtua route-to ($external_gvt $gw_gvt)
from $external_gvt to any
pass out quick on $external_virtua all modulate state
pass out quick on $external_virtua inet proto icmp all modulate state
pass in log quick on $external_virtua inet proto tcp from any to
$external_virtua port 22 flags S/SA synproxy state
block drop in log quick on $external_virtua inet proto tcp from any to
any flags FUP/FUP
block drop in log quick on $external_virtua inet proto tcp from any to
any flags SF/SFRA
block drop in log quick on $external_virtua inet proto tcp from any to
any flags /SFRA
block drop in quick on $external_virtua proto tcp from any to any port = 113
block drop in log quick on $external_virtua inet proto icmp from any
to any icmp-type redir
block drop in log quick on $external_virtua all
block return
#--- Link GVT @ 10.0.0.2/8 -------------------------------####
pass out quick on $external_gvt route-to ($external_virtua $gw_virtua)
from $external_virtua to any
pass out quick on $external_gvt all modulate state
pass out quick on $external_gvt inet proto icmp all modulate state
pass in log quick on $external_gvt inet proto tcp from any to
$external_gvt port 22 flags S/SA synproxy state
block drop in log quick on $external_gvt inet proto tcp from any to
any flags FUP/FUP
block drop in log quick on $external_gvt inet proto tcp from any to
any flags SF/SFRA
block drop in log quick on $external_gvt inet proto tcp from any to
any flags /SFRA
block drop in quick on $external_gvt proto tcp from any to any port = 113
block drop in log quick on $external_gvt inet proto icmp from any to
any icmp-type redir
block drop in log quick on $external_gvt all
block return
#--- Rede Local @ 192.168.252.254/24 -------------------####
pass out log quick on $internal all modulate state
pass out quick on $internal inet proto icmp all modulate state
pass in log quick on $internal all modulate state
pass in quick on $internal inet proto icmp all modulate state
pass in on $internal route-to \
{ ($external_virtua $gw_virtua), ($external_gvt $gw_gvt) } round-robin \
from $internal_net to any keep state
#--- Loopback @ 127.0.0.1/8 ----------------------------####
pass out quick on lo0 all
pass in quick on lo0 all
===========================================================================================
[firewall] # more rc.conf
##############################
#### CONFIGURACAO DA REDE ####
##############################
hostname="firewall.bsd"
ifconfig_re0="inet 172.16.0.2 netmask 255.255.0.0" # NET VIRTUA
ifconfig_re1="inet 10.0.0.2 netmask 255.0.0.0" # ADSL GVT
ifconfig_rl0="inet 192.168.252.254 netmask 255.255.255.0"
############################################
#### CANCELAMENTO DE SERVICOS/PROGRAMAS ####
############################################
nfs_server_enable="NO"
nfs_client_enable="NO"
nfs_reserved_port_only="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
moused_enable="NO"
moused_type="NO"
rpcbind_enable="NO"
inetd_enable="NO"
check_quotas="NO"
#############################################
#### INICIALIZACAO DE SERVICOS/PROGRAMAS ####
#############################################
apache22_enable="YES"
squid_enable="YES"
samba_enable="YES"
gateway_enable="YES"
openssh_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="rl0"
###########################
#### SEGURANCA DA REDE ####
###########################
icmp_drop_redirect="YES"
icmp_bmcastecho="NO"
tcp_keepalive="YES"
tcp_extensions="YES"
icmp_bandlim="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
################################
#### LOGS DO SISTEMA E REDE ####
################################
syslogd_flags="-ss"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
#############################
#### SEGURANCA DO KERNEL ####
#############################
kern_securelevel_enable="YES"
kern_securelevel="-1"
##############################
#### OUTRAS CONFIGURACOES ####
##############################
clear_tmp_enable="YES"
update_motd="NO"
keyrate="fast"
keymap="br275.iso.acc"
===========================================================================================
[firewall] # more rc.local
#!/bin/sh
# Rodar rotas
echo Adicionando rotas...
/usr/sbin/setfib 0 route add default 10.0.0.1
/usr/sbin/setfib 1 route add default 172.16.0.1
===========================================================================================
[firewall] ~/bkp# more sysctl.conf
# SISTEMA
security.bsd.see_other_uids=0
net.link.ether.inet.log_arp_wrong_iface=0
kern.coredump=0
# IP
net.inet.ip.check_interface=1
net.inet.ip.random_id=1
net.inet.ip.forwarding=1
net.inet.ip.process_options=0
# ICMP
net.inet.icmp.maskrepl=0
# TCP
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.syncookies=1
net.inet.tcp.blackhole=2
net.inet.tcp.log_in_vain=1
net.inet.tcp.sack.enable=1
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.inflight.enable=0
# UDP
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
===========================================================================================
[firewall] # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGS 0 61170 re1
10.0.0.0/8 link#3 UC 0 0 re1
10.0.0.1 00:18:d1:87:70:d9 UHLW 2 6 re1 428
10.0.0.2 00:1d:7d:88:9d:76 UHLW 1 6 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16.0.0/16 link#2 UC 0 0 re0
172.16.0.1 00:1b:11:56:b1:3b UHLW 1 0 re0 702
192.168.252.0/24 link#1 UC 0 0 rl0
192.168.252.10 00:24:01:17:2a:0b UHLW 1 27 rl0 1153
===========================================================================================
[firewall] # setfib 1 netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.0.1 UGS 0 0 re0
10.0.0.0/8 link#3 UC 0 0 re1
10.0.0.1 00:18:d1:87:70:d9 UHLW 1 0 re1 357
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16.0.0/16 link#2 UC 0 0 re0
172.16.0.1 00:1b:11:56:b1:3b UHLW 2 0 re0 631
192.168.252.0/24 link#1 UC 0 0 rl0
192.168.252.10 00:24:01:17:2a:0b UHLW 1 0 rl0 1191
192.168.252.11 00:16:ec:4f:e4:58 UHLW 1 0 rl0 1188
Mais detalhes sobre a lista de discussão freebsd