[FUG-BR] Dúvida com Route-To (PF)

Enio Marconcini eniorm em gmail.com
Segunda Novembro 16 15:13:21 BRST 2009 

2009/11/14 Wanderson Tinti <wanderson em bsd.com.br>

> Olá, Enio.
>
> Veja o script abaixo.
>
> #Macros - Váriaveis
> local_net = "192.168.168.0/24"
> int_if1  = "xl2"
> ext_if1 = "xl0"
> ext_if2 = "xl1"
> ext_gw1 = "200.200.10.10"
> ext_gw2 = "201.201.10.10"
>
> #NAT - Para as duas Interface
> nat on $ext_if1 from $lan_net to any -> $ext_if1
> nat on $ext_if2 from $lan_net to any -> $ext_if2
>
> #REDIRECIONAMENTO
> rdr on $ext_if2 proto tcp from any to $ext_if1 port 3655 -> 192.168.168.254
>
> #REGRAS DE FILTRO
>
> #PERMITE COMUNICACAO ENTRE REDE LOCAL E GATEWAY.
> pass out on $int_if1 from any to $local_net
> pass in quick on $int_if1 from $local_net to $int_if1
>
> #HTTP UTILIZA LINK2.
> pass in quick on $int_if1 route-to ($ext_if2 $ext_gw2) proto tcp from \
> $local_net to any port 80 flags S/SA modulate state
>
> #HTTPS UTILIZA LINK1.
> pass in quick on $int_if1 route-to ($ext_if1 $ext_gw1) proto tcp from \
> $local_net to any port 443 flags S/SA modulate state
>
> #SSH UTILIZA LINK2.
> pass in quick on $int_if1 route-to ($ext_if2 $ext_gw2) proto tcp from \
> $local_net to any port 22  flags S/SA modulate state
>
> #SSH - A ROTA DEFAULT E LINK1. O QUE ENTRAR PELO LINK2 NA PORTA SSH
> #DEVE RETORNAR PELO LINK2 E NAO PELA LINK1(ROTA DEFAULT).
> pass in quick on $ext_if2 reply-to ($ext_if2 $ext_if2) proto tcp from \
> any to any port 22 keep state
>
> #DISTRIBUI O RESTANTE DOS PACOTES(TCP) PELOS DOIS LINKS.
> #OBSERVER QUE NAS REGRAS ANTERIORES FORAM UTILIZADO A OPCAO 'quick'.
> pass in on $int_if1 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
> round-robin \
> proto tcp from $local_net to any flags S/SA modulate state
>
> #DISTRIBUI O RESTANTE DOS PACOTES(UDP e ICMP) PELOS DOIS LINKS.
> pass in on $int_if1 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
> round-robin \
> proto { udp, icmp } from $local_net to any keep state
>
> #PERMITE A SAIDA DOS PACOTES(TCP, UDP e ICMP) PELAS INTERFACES EXTERNAS.
> pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
> pass out on $ext_if1 proto { udp, icmp } from any to any keep state
> pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
> pass out on $ext_if2 proto { udp, icmp } from any to any keep state
>
> #ALINHA A SAIDA DOS PACOTES PARA A INTEFACE CORRETA.
> pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
>
>
> Sugiro que você teste essas regras sem utilizar o Proxy.
> Boa noite.
>
>
> Atenciosamente,
> Wanderson Tinti
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>


blza amigo, obrigado pelo help eu vo analisar o script e fazer uns testes,
reporto dps o resultado

abraços

-- 
ENIO RODRIGO MARCONCINI
gtalk: eniorm em gmail.com
skype: eniorm
msn: /dev/null

> FreeBSD -:- OpenBSD -:-
> Coleções Marcas de Cigarros
< Obi-Wan has taught you well....

Mais detalhes sobre a lista de discussão freebsd