[FUG-BR] 1 link de internet para cada rede interna.

Mario Lobo lobo em bsd.com.br
Quinta Junho 2 10:17:34 BRT 2011 

Bom dia a todos;

Terei em breve a seguinte situação:

1 link de 1M para a rede interna 10.10.10.x
1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x

Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
Uma placa de rede para cada rede interna e uma para cada link de internet (5
total).

Adaptei o meu  pf.conf atual para os 2 links. Ainda não testei porque o 2o
link ainda não está instalado. Gostaria
do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
etc... O default router do FreeBSD é o link de 2M.

FBSD 8.2-STABLE


### pf.conf

################[ Macros ]####################################

### Interfaces ###

  ifext_1M="sis0"
  gwip_1M="xx.xx.xx.xx"

  ifext_2M="rl1"
  gwip_2M="yy.yy.yy.yy"

### Network ifs ###

  ifint_aln="dc0"
  ifint_lab="vr0"
  ifint_enc="rl0"

### Networks ###

  rede_1M="10.10.10.0/24"
  rede_2Ma="192.168.0.0/24"
  rede_2Mb="172.16.3.0/24"

################[ Queueing ]##################################

################[ Translation ]###############################

### NAT

  nat on $ifext_1M from $ifint_enc:network to any -> $ifext_1M port
1024:65535
  nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any ->
$ifext_2M port 1024:65535

### RDR

  no rdr on lo0 from any to any

  # FW Servers -----------------------------------

  # mail /owa
  rdr on $ifext_2M inet proto tcp to port smtp  -> $brightmail port smtp
  rdr on $ifext_2M inet proto tcp to port https -> $exchange port https

  # DENY rouge redirections
  no rdr

################[ Filtering ]#################################

### unconditional passes

  pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln:network to $ifint_aln:network
  pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ifint_lab:network
  pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
$ifint_enc:network to $ifint_enc:network

  # allow lab to see DNS
  pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ad_dns

  # route enc network - no restrictions
  pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
$ifint_enc:network to !$ifint_enc keep state
  # From gateway -----------------
  pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc
to any keep state

### Quick blocks

  block in  on $ifext_1M inet from any to !($ifext_1M)
  block in  on $ifext_2M inet from any to !($ifext_2M)

  # Ftp ( secure ftp-proxy )
  anchor "ftp-proxy/*"

### Allowances

  # From LAB
-------------------------------------------------------------------

    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
tcp  from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
udp  from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
timex, unreach }

    pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
state

    # From gateway -----------------
    pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab to any keep state


  # From ALN
-------------------------------------------------------------------

    pass in quick on $ifint_aln inet proto tcp from any to lo0 port $SshPort
flags S/SA keep state (max 20,  source-track rule, max-src-nodes 2,
max-src-states 10)
    pass in quick on $ifint_aln inet proto tcp from any to lo0 port $FtpPort
flags S/SA keep state (max 250, source-track rule, max-src-conn 100,
max-src-nodes 254, max-src-conn-rate 75/20)

    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp  from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln flags
S/SA modulate state
    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp  from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln keep
state
    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq,
timex, unreach } keep state

    # To Servers ------------------
    pass out quick on $ifint_aln inet proto tcp from any to $brightmail port
smtp flags S/SA modulate state (max 100,  source-track rule, max-src-nodes
30,  max-src-states 5,  max-src-conn-rate 10/300, overload <banned> flush
global, tcp.established 45)
    pass out quick on $ifint_aln inet proto tcp from any to $exchange port
443  flags S/SA modulate state
    pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008 port
21 flags S/SA modulate state

    # From gateway -----------------
    pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln to any keep state

## fin pf.conf


Obrigado pela atenção;

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes FREE)

Mais detalhes sobre a lista de discussão freebsd