[FUG-SP] Não consigo acessar FTP externo com PF no FreeBSD
Danilo Carlos Silva
danilosbrasil em gmail.com
Quinta Abril 24 11:36:20 BRT 2008
Renomados Senhores,
Problema : Não acessar servidores FTP Ativos da rede interna
Gostaria de poder contar com auxilio dos senhores para resolver está
questão. Apesar de ter lidos vários tópicos a respeito e encontrado algumas
soluções até mesmo aqui neste renomado site. O probelma que venho chegando
do LINUX para o FREBSD ! Sou novato e estou sofrendo um pouco, me deram este
filho com este problema eu tenho que soluciona-lo e conto com ajuda desta
comunidade.
Vou postar meu pf.conf para os senhores avaliarem e me instruirem a melhor
forma de imputar os dados.
############################
# PF configuration for xxxxx#
############################
### macros ###
ext_if = "rl0"
int_if = "sk0"
me = "192.168.0.1"
protheus = "192.168.0.3"
debian = "192.168.0.4"
w2003 = "192.168.0.5"
emule = "192.168.0.142"
p2p_1 = "192.168.0.152"
ports = "{ http, https, pop3, smtp, imap, ftp, 3128, 3306, 2022, >49151,
8080, 2401, 3333, 20, 21, 7777 }"
ftp_range="{ 4000 >< 57000 }"
### tables ###
#table <spamd-white> persist
### options ###
set skip on lo
#set loginterface $int_if
### scrub ###
scrub all no-df fragment reassemble random-id
### nat ###
nat on $ext_if from $int_if:network to any -> $ext_if
### gambi modes on XXX ###
rdr on $int_if proto tcp from $int_if:network to $ext_if port 6697 ->
192.168.0.3
rdr on $int_if proto tcp from $int_if:network to $ext_if port 2401 ->
192.168.0.4
rdr on $int_if proto tcp from $int_if:network to $ext_if port 3333 ->
192.168.0.4
rdr on $int_if proto tcp from $int_if:network to $ext_if port 7777 ->
192.168.0.4
no nat on $int_if proto tcp from $int_if to $int_if:network
nat on $int_if proto tcp from $int_if:network to 192.168.0.3 port 6697 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 2401 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 3333 ->
$int_if
nat on $int_if proto tcp from $int_if:network to 192.168.0.4 port 7777 ->
$int_if
### ips liberados proxy ###
table <exception> {192.168.0.184, 192.168.0.253}
### redirects ###
# rdr proxy
rdr on $int_if inet proto tcp from !<exception> to any port www ->
127.0.0.1port 3128
# ftp to ftp-proxy redirect.
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# spamd redirect to me.
#rdr on $ext_if proto tcp from <spamd-white> to any port smtp -> $me
#rdr pass on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port
spamd
# protheus redirect.
rdr on $ext_if proto tcp from any to $ext_if port 6697 -> $protheus
# subversion redirect.
rdr on $ext_if proto tcp from any to any port 3333 -> 192.168.0.4 port 2401
# Fenabrave redirect.
rdr on $ext_if proto tcp from any to any port 7777 -> 192.168.0.4 port 7777
# cvsdebian redirect.
rdr on $ext_if proto tcp from any to any port 2401 -> 192.168.0.4 port 2401
# redir w2003
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $w2003
# redir emule.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 4000 -> $emule
# redir p2p.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 4002 -> $p2p_1
### anchors ###
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
anchor "ftp-proxy/*"
### filter rules ###
# antispoof.
antispoof quick for { lo $int_if } inet
# block/log everything.
block log all
# allow all traffic on $int_if.
pass on $int_if
# allow ping.
pass in quick inet proto icmp all icmp-type echoreq keep state
# allow proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep
state
pass out quick on $ext_if inet proto tcp from any to any port www keep state
# allow ftp, pop3, smtp, imap, http, dns, https and ssh pass in.
pass in quick on $ext_if inet proto tcp from any to $ext_if \
port $ports modulate state flags S/SA
pass in quick on $ext_if inet proto { tcp, udp } from any to $ext_if \
port domain modulate state flags S/SA
# allow microzica pass in to protheus server.
pass in quick on $ext_if inet proto tcp from any to $protheus \
# allow cvs pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
port 2401 synproxy state flags S/SA
# allow subversion pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
port 3333 synproxy state flags S/SA
# allow subversion pass in to debian server.
pass in quick on $ext_if inet proto tcp from any to $debian \
port 7777 synproxy state flags S/SA
# allow w2003 pass in.
pass in quick on $ext_if inet proto tcp from any to $w2003 \
port 3389 synproxy state flags S/SA
# allow ftp pass in.
pass in quick on $ext_if inet proto tcp from any to any \
port 21 synproxy state flags S/SA
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
keep state
#pass in on $ext_if inet proto tcp from any to $ext_if
#port ftp user proxy keep state
#pass in quick on $ext_if inet proto tcp from any port
#20 to $ext_if port $ftp_range flags S/SA keep state
# allow emule pass in.
pass in quick on $ext_if inet proto { tcp, udp } from any to $emule \
port 4000 synproxy state flags S/SA
pass in quick on $ext_if inet proto { tcp, udp } from any to $p2p_1 \
port 4002 synproxy state flags S/SA
# allow all tcp, udp and icmp pass out.
pass out quick on $ext_if inet proto { tcp, udp, icmp } all \
modulate state flags S/SA
#####################################################################################################################################################
desde já agradeço a colaboração!
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://www.fug.com.br/historico/html/freebsd-sp/attachments/20080424/fff753f3/attachment.html
Mais detalhes sobre a lista de discussão freebsd-sp