[FUG-BR] modulo do kernel - exemplo de pffil_hooks

Christopher Giese - iRapida chris em irapida.com.br
Quarta Julho 19 06:57:15 BRT 2006


Nao entendi sua duvida

seja + especifico


Nenhum _de_Nos escreveu:
> On 7/18/06, Christopher Giese - iRapida <chris at irapida.com.br> wrote:
>   
>> opa
>>
>> um count para pf:
>>
>> ##################
>> Upload pfctl -v -sr|grep "from ipqueVOCEquer" -A 1|grep Bytes|awk
>> '{print $7}'
>>
>> Download pfctl -v -sr|grep "to ipqueVOCEquer" -A 1|grep Bytes|awk
>> '{print $7}'
>> ##################
>>
>> usar os 2 ao mesmo tempo sem problemas..... (claro desde que vc nao
>> tenha 2000 regras em cada um - rs)
>>
>> estou trabalhando na ideia do Diego........ ipfw + snmp.. deu uma
>> googleada e achei como montar.....
>>
>> a ideia
>> http://www.sat.t.u-tokyo.ac.jp/~hideyuki/ipfwsnmp.html
>>
>> o script
>> http://www.sat.t.u-tokyo.ac.jp/~hideyuki/ipfwsnmp
>>
>> Funcionou 100%.... muito legal mesmo
>>
>> mas para mim nao pode ser com ipfw... tem que ser com pf..... entaum
>> estou portando o ipfwsnmp  para pf.... assim que estiver funcional eu
>> distribui na net
>>
>> :)
>>
>> t+
>>
>>     
>
> nao retornou nada aqui estas consultas :(
>
> na minha solucao:
>
> DSL --bridge-- FreeBSD ( NAT ) -------- FreeBSD ( lim trafego ) ----- Rede
>
> em nenhum dos dois tem resultado ... :(
>
> ha saida, mas nada nos ips da rede 192.168.254.0/24.
>
> saida: ( FreeBSD com NAT )
>
> [root at valfenda ~]# pfctl -v -sr
> block drop in on tun0 inet from 201.x.x.x to any
>   [ Evaluations: 11735803  Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.xxxo any port 10000:11000
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.x.x.x.x to any port 11001:11600
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.x.x.x.x to any port 8000:8100
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.x.x.x.x to any port 5010:5019
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.x.x.x.x to any port 5020:5029
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto tcp from 201.x.x.x.x to any port 15000:15500
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 10000:11000
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 11001:11600
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 8000:8100
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 5010:5019
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 5020:5029
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on tun0 inet proto udp from 201.x.x.x.x to any port 15000:15500
>   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
> pass in on rl0 all
>   [ Evaluations: 10378505  Packets: 5080445   Bytes: 1233312838  States: 0     ]
>
> e ha regras de nat:
>
> nat on tun0 inet from 192.168.254.10 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.100 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.251 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.12 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.101 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.103 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.102 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.1 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.2 to any -> (tun0) round-robin
> nat on tun0 inet from 192.168.254.3 to any -> (tun0) round-robin
> rdr on tun0 inet proto tcp from any to any port 10000:11000 -> 192.168.254.10
> rdr on tun0 inet proto udp from any to any port 10000:11000 -> 192.168.254.10
> rdr on tun0 inet proto tcp from any to any port 11001:11600 -> 192.168.254.100
> rdr on tun0 inet proto udp from any to any port 11001:11600 -> 192.168.254.100
> rdr on tun0 inet proto tcp from any to any port 8000:8100 -> 192.168.254.12
> rdr on tun0 inet proto udp from any to any port 8000:8100 -> 192.168.254.12
> rdr on tun0 inet proto tcp from any to any port 5010:5019 -> 192.168.254.101
> rdr on tun0 inet proto udp from any to any port 5010:5019 -> 192.168.254.101
> rdr on tun0 inet proto tcp from any to any port 5020:5029 -> 192.168.254.103
> rdr on tun0 inet proto udp from any to any port 5020:5029 -> 192.168.254.103
> rdr on tun0 inet proto tcp from any to any port 15000:15500 -> 192.168.254.1
> rdr on tun0 inet proto udp from any to any port 15000:15500 -> 192.168.254.1
>
>
> faco as regras separadas para poder controlar quem pode ou nao usar o
> FreeBSD como roteador :)
>
> valeu
>
> matheus
>   



Mais detalhes sobre a lista de discussão freebsd