[FUG-BR] [OFF] Problema de Acesso ao site da empresa na dmz com squid habilitado
Ricardo
rs.freebsd em gmail.com
Quinta Setembro 10 13:06:17 BRT 2009
Ola Lista
Desculpem o assunto off-topic, mas estou com um problema ao colocar o
squid no firewall usando o PF, antes de habilitar o squid quando ou
usuarios da rede interna acessavam
o site da empresa que esta hopedado no servidor web na DMZ funciona
normalmente, depois que habilitei o squid no modo transparente, quando
os usuarios da rede interna tentam
acessar o site, aparece a pagina do apache que esta instalado no
firewall onde é utilizado para visualizar o sarg e não a do servidor
que esta na DMZ. Segue abaixo a configuração
das interfaces e do PF.
Obs. O DNS tambem esta no servidor da web.
Desde já agradeço
Ricardo
############## Placas de Rede ################
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:1a:3f:4c:47:86
inet 10.10.2.1 netmask 0xffffff00 broadcast 10.28.0.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:30:48:2f:24:ba
inet xxx.xx.xx.130 netmask 0xffffffc0 broadcast xxx.xx.xx.191
inet xxx.xx.xx.132 netmask 0xffffffc0 broadcast xxx.xx.xx.191
inet xxx.xx.xx.133 netmask 0xffffffc0 broadcast xxx.xx.xx.191
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:30:48:2f:24:bb
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
######### PF ##############
#### Variaveis ####
# Interfaces
ext_if="em0"
dmz_if="em1"
int_if="re0"
# Ips
nkext_ip="xxx.xx.xx.130"
emlext_ip="xxx.xx.xx.132"
webext_ip="xxx.xx.xx.133"
emldmz_ip="192.168.0.3"
webdmz_ip="192.168.0.5"
# Redes
int_rd="10.10.2.0/24"
dmz_rd="192.168.0.0/24"
# Tabelas
table <brute> persist
# FTP-PROXY
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#### Regras de Redirecionamentos ####
# Redirecionamento do Squid
rdr pass on $int_if inet proto tcp from $int_rd to !200.201.174.0/24
port 80 -> 127.0.0.1 port 3128
# Servidor de E-mail
rdr pass on $ext_if proto tcp from any to $emlext_ip port 80 ->
$emldmz_ip port 80
rdr pass on $ext_if proto tcp from any to $emlext_ip port 25 ->
$emldmz_ip port 25
rdr pass on $ext_if proto tcp from any to $emlext_ip port 110 ->
$emldmz_ip port 110
rdr pass on $ext_if proto tcp from any to $emlext_ip port 143 ->
$emldmz_ip port 143
rdr pass on $int_if proto tcp from any to $emlext_ip port 80 ->
$emldmz_ip port 80
rdr pass on $int_if proto tcp from any to $emlext_ip port 22 ->
$emldmz_ip port 22
rdr pass on $int_if proto tcp from any to $emlext_ip port 25 ->
$emldmz_ip port 25
rdr pass on $int_if proto tcp from any to $emlext_ip port 110 ->
$emldmz_ip port 110
rdr pass on $int_if proto tcp from any to $emlext_ip port 143 ->
$emldmz_ip port 143
rdr pass on $int_if proto tcp from any to $emlext_ip port 3306 ->
$emldmz_ip port 3306
## Servidor Web
rdr pass on $ext_if proto tcp from any to $webext_ip port 80 ->
$webdmz_ip port 80
rdr pass on $ext_if proto tcp from any to $webext_ip port 443 ->
$webdmz_ip port 443
rdr pass on $ext_if proto { tcp, udp } from any to $webext_ip port 53
-> $webdmz_ip port 53
rdr pass on $int_if proto tcp from any to $webext_ip port 80 ->
$webdmz_ip port 80
rdr pass on $int_if proto tcp from any to $webext_ip port 22 ->
$webdmz_ip port 22
rdr pass on $int_if proto tcp from any to $webext_ip port 443 ->
$webdmz_ip port 443
rdr pass on $int_if proto { tcp, udp } from any to $webext_ip port 53
-> $webdmz_ip port 53
#### Regras de NAT ####
nat on $ext_if from $int_rd to any -> $ext_if
nat on $dmz_if from $int_rd to any -> $dmz_if
nat on $ext_if from $dmz_rd to any -> $ext_if
binat on $ext_if from $emldmz_ip to any -> $emlext_ip
binat on $ext_if from $webdmz_ip to any -> $webext_ip
binat on $dmz_if from $emldmz_ip to any -> $emlext_ip
# Politica Padrao
scrub in
block log all
# Bloqueia as tabelas
block log quick from <brute>
# Não filtra na interface loopback
set skip on lo0
#### Regras ####
# Porta 80 (Apache)
pass in quick on $ext_if proto tcp from $fwred_ip to $nkext_ip port 80
# Porta 22 (SSH)
pass in on $ext_if proto tcp from any to $nkext_ip port 22 keep state
(max-src-conn 100, max-src-conn-rate 8/60 overload <brute> flush
global)
# Libera Saida de Trafego tcp, udp, icmp pela interfaces
pass out quick on $ext_if proto { tcp, udp, icmp } from any to any
pass out quick on $int_if proto { tcp, udp, icmp } from any to any
pass in quick on $int_if proto { tcp, udp, icmp } from any to any
pass in quick on $dmz_if proto {tcp, udp, icmp} from $dmz_rd to any
#### Regras Servidor de E-mail ####
pass in quick on $dmz_if proto tcp from any to $emlext_ip port {25, 143, 110}
pass out quick on $dmz_if proto tcp from any to $emlext_ip port {25, 143, 110}
pass in quick on $dmz_if proto {tcp, udp} from $emldmz_ip port {25,
143, 110} to any
#### Regras Servidor de Web ####
pass in quick on $ext_if proto tcp to $webext_ip port 21
pass out quick on $ext_if proto tcp to $webext_ip port 21
pass in quick on $ext_if proto udp from $webext_ip port 1024:65535 to
any port 53
pass out quick on $ext_if proto udp from $webext_ip port 1024:65535 to
any port 53
Mais detalhes sobre a lista de discussão freebsd