[FUG-SP] Não consigo acessar FTP externo com PF no FreeBSD

Quinta Abril 24 11:36:20 BRT 2008

Renomados Senhores,

Problema : NÃ£o acessar servidores FTP Ativos da rede interna

Gostaria de poder contar com auxilio dos senhores para resolver estÃ¡
questÃ£o. Apesar de ter lidos vÃ¡rios tÃ³picos a respeito e encontrado algumas
soluÃ§Ãµes atÃ© mesmo aqui neste renomado site. O probelma que venho chegando
do LINUX para o FREBSD ! Sou novato e estou sofrendo um pouco, me deram este
filho com este problema eu tenho que soluciona-lo e conto com ajuda desta
comunidade.

Vou postar meu pf.conf para os senhores avaliarem e me instruirem a melhor
forma de imputar os dados.

############################
# PF configuration for xxxxx#
############################

### macros ###
ext_if = "rl0"
int_if = "sk0"
me = "192.168.0.1"
protheus = "192.168.0.3"
debian = "192.168.0.4"
w2003 = "192.168.0.5"
emule = "192.168.0.142"
p2p_1 = "192.168.0.152"

ports = "{ http, https, pop3, smtp, imap, ftp, 3128, 3306, 2022, >49151,
8080, 2401, 3333, 20, 21, 7777 }"

ftp_range="{ 4000 >< 57000 }"

### tables ###
#table <spamd-white> persist

### options ###
set skip on lo
#set loginterface $int_if

### scrub ###
scrub all no-df fragment reassemble random-id

### nat ###
nat on $ext_if from $int_if:network to any -> $ext_if

### gambi modes on XXX ###
rdr on $int_if proto tcp from $int_if:network to $ext_if port 6697 ->
192.168.0.3
rdr on $int_if proto tcp from $int_if:network to $ext_if port 2401 ->
192.168.0.4
rdr on $int_if proto tcp from $int_if:network to $ext_if port 3333 ->
192.168.0.4
rdr on $int_if proto tcp from $int_if:network to $ext_if port 7777 ->
192.168.0.4
no nat on $int_if proto tcp from $int_if to $int_if:network
nat on $int_if proto tcp from $int_if:network to 192.168.0.3 port 6697 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 2401 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 3333 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 7777 ->
$int_if

### ips liberados proxy ###
table <exception> {192.168.0.184, 192.168.0.253}

### redirects ###

# rdr proxy
rdr on $int_if inet proto tcp from !<exception> to any port www ->
127.0.0.1port 3128

# ftp to ftp-proxy redirect.
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# spamd redirect to me.
#rdr on $ext_if proto tcp from <spamd-white> to any port smtp -> $me
#rdr pass on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port
spamd

# protheus redirect.
rdr on $ext_if proto tcp from any to $ext_if port 6697 -> $protheus

# subversion redirect.
rdr on $ext_if proto tcp from any to any port 3333 -> 192.168.0.4 port 2401

# Fenabrave redirect.
rdr on $ext_if proto tcp from any to any port 7777 -> 192.168.0.4 port 7777

# cvsdebian redirect.
rdr on $ext_if proto tcp from any to any port 2401 -> 192.168.0.4 port 2401

# redir w2003
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $w2003

# redir emule.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 4000 -> $emule

# redir p2p.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 4002 -> $p2p_1

### anchors ###
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
anchor "ftp-proxy/*"

### filter rules ###

# antispoof.
antispoof quick for { lo $int_if } inet

# block/log everything.
block log all

# allow all traffic on $int_if.
pass on $int_if

# allow ping.
pass in quick inet proto icmp all icmp-type echoreq keep state

# allow proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep
state
pass out quick on $ext_if inet proto tcp from any to any port www keep state

# allow ftp, pop3, smtp, imap, http, dns, https and ssh pass in.
pass in quick on $ext_if inet proto tcp from any to $ext_if \
        port $ports modulate state flags S/SA
pass in quick on $ext_if inet proto { tcp, udp } from any to $ext_if \
        port domain modulate state flags S/SA

# allow microzica pass in to protheus server.
pass in quick on $ext_if inet proto tcp from any to $protheus \

# allow cvs pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
        port 2401 synproxy state flags S/SA

# allow subversion pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
        port 3333 synproxy state flags S/SA

# allow subversion pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
        port 7777 synproxy state flags S/SA

# allow w2003 pass in.
pass in quick on $ext_if inet proto tcp from any to $w2003 \
        port 3389 synproxy state flags S/SA

# allow ftp pass in.
pass in quick on $ext_if inet proto tcp from any to any \
        port 21 synproxy state flags S/SA
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
   keep state
#pass in  on $ext_if inet proto tcp from any to $ext_if
#port ftp user proxy keep state
#pass in  quick on $ext_if inet proto tcp from any port
#20 to $ext_if port $ftp_range flags S/SA keep state

# allow emule pass in.
pass in quick on $ext_if inet proto { tcp, udp } from any to $emule \
        port 4000 synproxy state flags S/SA

pass in quick on $ext_if inet proto { tcp, udp } from any to $p2p_1 \
        port 4002 synproxy state flags S/SA

# allow all tcp, udp and icmp pass out.
pass out quick on $ext_if inet proto { tcp, udp, icmp } all \
        modulate state flags S/SA
#####################################################################################################################################################

desde jÃ¡ agradeÃ§o a colaboraÃ§Ã£o!
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://www.fug.com.br/historico/html/freebsd-sp/attachments/20080424/fff753f3/attachment.html 