[FUG-BR] pf e ipfw juntos.

Segunda Julho 18 08:51:58 BRT 2011

Cabral Bandeira escreveu:
> Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver?
>
> Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ. 
>
> No ipfw uso o http://intrarts.com/throttled.html
>
> Aprendi pf em uma hora :) Acho que aprendi creio eu. 
>
> Mas gostaria de saber se preciso melhorar algo. Se abaixo.
>
> set block-policy drop
> set optimization normal
> set ruleset-optimization basic
> set timeout interval 10
> set timeout frag 30
> set skip on lo0
> set debug none
> set limit frags 4096
> set state-policy floating
> set require-order yes
>
> if = "en1"
> scrub in all
>
> # Quebra pacotes mal formados
> scrub all reassemble tcp
> scrub out all no-df max-mss 1492 random-id
> antispoof for $if inet
>
> #icmp_types="echoreq"
>
> block in
> pass out
>
> # loopback is good
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> antispoof quick for $if inet
>
> # allow icmp
> #pass in inet proto icmp all icmp-type $icmp_types 
>
> block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
>
> # allow dns queries
> pass out on $if proto udp from any to any port 53 
>
> # pass http traffic
> pass out on $if proto tcp from $if to any port 80 flags S/SA 
>
> # pass ftp traffic
> pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA 
>
> pass in quick inet proto { tcp, udp } from any to any port = 16000 
> pass out quick inet proto { tcp, udp } from any to any port = 16000
> pass in quick inet proto { tcp, udp } from any to any port = 16003 
> pass out quick inet proto { tcp, udp } from any to any port = 16003
> pass in quick inet proto { tcp, udp } from any to any port = 51413 
> pass out quick inet proto { tcp, udp } from any to any port = 51413
> pass in quick inet proto { tcp, udp } from any to any port = 38772 
> pass out quick inet proto { tcp, udp } from any to any port = 38772
>
> pass in quick inet proto udp from any to any port = 123 
> pass out quick inet proto udp from any to any port = 123
> pass in quick inet proto udp from any to any port = 192 
> pass out quick inet proto udp from any to any port = 192
> pass in quick inet proto tcp from any to any port = 443 
> pass out quick inet proto tcp from any to any port = 443
> pass in quick inet proto tcp from any to any port = 548 
> pass out quick inet proto tcp from any to any port = 548
> pass in quick inet proto udp from any to any port = 5353 
> pass out quick inet proto udp from any to any port = 5353
>
> # Ativa a proteção contra falsificações para todas as interfaces
> block in quick from urpf-failed
>
> # block scans com nmap
> block in quick proto tcp flags FUP/WEUAPRSF
> block in quick proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick proto tcp flags SRAFU/WEUAPRSF
> block in quick proto tcp flags /WEUAPRSF
> block in quick proto tcp flags SR/SR
> block in quick proto tcp flags SF/SF
> block drop in quick on $if from any os { NMAP } 
>
> pass on lo0 all
>
> -----
> Cabral Bandeira
>   

Cabra,

Tive problema parecido com o pfSense.
Descobri (no chute mesmo), que você precisa DERRUBAR o pf (pfctl -d), 
ativar o ipfw e carregar as regras, e por fim carregar o pf (pfctl -e)  

Veja:
#!/bin/sh
# copie no /usr/local/etc/rc.d/ e permita execução (chmod +x focus.sh)
# OBSERVE QUE NÃO É /etc/rc.d/

# lembre de alterar SIS0 para sua placa de rede local (LAN - veja no 
ifconfig)

echo "Desativando PF..."
pfctl -d

echo "Carregando firewall"
kldload ipfw
kldload dummynet

echo "Limpando regras..."
ipfw -f flush
ipfw -f pipe flush
ipfw -f queue flush
ipfw -f table 1 flush             

echo "Cadastrando IPs na TABLE 1 - limite 300kbps"
ipfw -q table 1 add 192.168.0.249                            # servidor 
hr (replicacao)

# se usuario for da TABLE 1, saltar para regra 600 (limite 300kbps)
ipfw add skipto 600 all from any to "table(1)"

echo "Aplicanco controle de banda para os demais (500kbps) na interface 
sis0..."
ipfw 500 add pipe 11 ip from not me to 192.168.0.0/24 not src-port 
5432,445,139,22222,3389 out via sis0
ipfw pipe 11 config bw 500Kbit/s mask dst-ip 0xffffffff

echo "Aplicando controle de banda exclusivo para TABLE 1 (300kbps) na 
interface sis0..."
ipfw 600 add pipe 12 ip from not me to 192.168.0.0/24 not src-port 
5432,445,139,22222,3389 out via sis0
ipfw pipe 12 config bw 300Kbit/s mask dst-ip 0xffffffff

echo "Reativando PF..."
pfctl -e

-- 
Welkson Renny de Medeiros
Desenvolvimento / Gerência de Redes
Focus Automação Comercial
FreeBSD Community Member 