[FUG-BR] 1 link de internet para cada rede interna.

Mario Lobo lobo em bsd.com.br
Quinta Junho 2 10:50:26 BRT 2011 

Primeiramente, obrigado pela resposta Bruno.

O block log all ta no final de tudo. Esqueci de colocar.

Quando voce diz:

pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from any
to any port 5050 keep state
pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
any to any port 5050 keep state

Esse reply-to é realmente necessário? não entendi a função dele já que ele
referencia a mesma
interface do pass out. Nesse caso, para cada regra de permissão route-to
para uma porta fora na interface interna,
eu teria que colocar uma regra reply-to para esta mesma porta na interface
externa? Pergunto porque as redes internas tem umas 20 portas diferentes que
são permitidas conectar fora e isso vai aumentar muito o numero de regras.

Obrigado,

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes FREE)

Em 2 de junho de 2011 10:31, Bruno Torres Viana <btviana em gmail.com>escreveu:

> Mario,
>
> Aparentemente olhando bem rápido não vejo nada de errado, mas eu utilizo
> outra prática.
>
> Para block
>
> block log all
>
>
> Para as regras de direcionar tráfego para um ou outro link
>
> pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from
> any
> to any port 5050 keep state
> pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
> any to any port 5050 keep state
>
> Abraço!
>
>
> Em 2 de junho de 2011 10:17, Mario Lobo <lobo em bsd.com.br> escreveu:
>
> > Bom dia a todos;
> >
> > Terei em breve a seguinte situação:
> >
> > 1 link de 1M para a rede interna 10.10.10.x
> > 1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x
> >
> > Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
> > Uma placa de rede para cada rede interna e uma para cada link de internet
> > (5
> > total).
> >
> > Adaptei o meu  pf.conf atual para os 2 links. Ainda não testei porque o
> 2o
> > link ainda não está instalado. Gostaria
> > do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
> > etc... O default router do FreeBSD é o link de 2M.
> >
> > FBSD 8.2-STABLE
> >
> >
> > ### pf.conf
> >
> > ################[ Macros ]####################################
> >
> > ### Interfaces ###
> >
> >  ifext_1M="sis0"
> >  gwip_1M="xx.xx.xx.xx"
> >
> >  ifext_2M="rl1"
> >  gwip_2M="yy.yy.yy.yy"
> >
> > ### Network ifs ###
> >
> >  ifint_aln="dc0"
> >  ifint_lab="vr0"
> >  ifint_enc="rl0"
> >
> > ### Networks ###
> >
> >  rede_1M="10.10.10.0/24"
> >  rede_2Ma="192.168.0.0/24"
> >  rede_2Mb="172.16.3.0/24"
> >
> > ################[ Queueing ]##################################
> >
> > ################[ Translation ]###############################
> >
> > ### NAT
> >
> >  nat on $ifext_1M from $ifint_enc:network to any -> $ifext_1M port
> > 1024:65535
> >  nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any
> ->
> > $ifext_2M port 1024:65535
> >
> > ### RDR
> >
> >  no rdr on lo0 from any to any
> >
> >  # FW Servers -----------------------------------
> >
> >  # mail /owa
> >  rdr on $ifext_2M inet proto tcp to port smtp  -> $brightmail port smtp
> >  rdr on $ifext_2M inet proto tcp to port https -> $exchange port https
> >
> >  # DENY rouge redirections
> >  no rdr
> >
> > ################[ Filtering ]#################################
> >
> > ### unconditional passes
> >
> >  pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
> > $ifint_aln:network to $ifint_aln:network
> >  pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
> > $ifint_lab:network to $ifint_lab:network
> >  pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
> > $ifint_enc:network to $ifint_enc:network
> >
> >  # allow lab to see DNS
> >  pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
> > $ifint_lab:network to $ad_dns
> >
> >  # route enc network - no restrictions
> >  pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
> > $ifint_enc:network to !$ifint_enc keep state
> >  # From gateway -----------------
> >  pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from
> $ifint_enc
> > to any keep state
> >
> > ### Quick blocks
> >
> >  block in  on $ifext_1M inet from any to !($ifext_1M)
> >  block in  on $ifext_2M inet from any to !($ifext_2M)
> >
> >  # Ftp ( secure ftp-proxy )
> >  anchor "ftp-proxy/*"
> >
> > ### Allowances
> >
> >  # From LAB
> > -------------------------------------------------------------------
> >
> >    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> > tcp  from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
> >    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> > udp  from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
> >    pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> > icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
> > timex, unreach }
> >
> >    pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
> > state
> >
> >    # From gateway -----------------
> >    pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
> > $ifint_lab to any keep state
> >
> >
> >  # From ALN
> > -------------------------------------------------------------------
> >
> >    pass in quick on $ifint_aln inet proto tcp from any to lo0 port
> $SshPort
> > flags S/SA keep state (max 20,  source-track rule, max-src-nodes 2,
> > max-src-states 10)
> >    pass in quick on $ifint_aln inet proto tcp from any to lo0 port
> $FtpPort
> > flags S/SA keep state (max 250, source-track rule, max-src-conn 100,
> > max-src-nodes 254, max-src-conn-rate 75/20)
> >
> >    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> > tcp  from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln
> flags
> > S/SA modulate state
> >    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> > tcp  from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln
> keep
> > state
> >    pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> > icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq,
> > timex, unreach } keep state
> >
> >    # To Servers ------------------
> >    pass out quick on $ifint_aln inet proto tcp from any to $brightmail
> port
> > smtp flags S/SA modulate state (max 100,  source-track rule,
> max-src-nodes
> > 30,  max-src-states 5,  max-src-conn-rate 10/300, overload <banned> flush
> > global, tcp.established 45)
> >    pass out quick on $ifint_aln inet proto tcp from any to $exchange port
> > 443  flags S/SA modulate state
> >    pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008
> port
> > 21 flags S/SA modulate state
> >
> >    # From gateway -----------------
> >    pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from
> > $ifint_aln to any keep state
> >
> > ## fin pf.conf
> >
> >
> > Obrigado pela atenção;
> >
> > --
> > Mario Lobo
> > http://www.mallavoodoo.com.br
> > FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes
> FREE)
> > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >
>
>
>
> --
> ___________________________
> Bruno Torres Viana
> Consultor em TI
> Celular: (27) 8823-0751
> SKYPE/MSN:  btorres_viana
>
>
>
> Todos nós somos ignorantes, porém em assuntos diferentes. Não seja
> ignorante
> por opção!
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>

Mais detalhes sobre a lista de discussão freebsd