[FUG-BR] Regras do PF não carregam no boot
Gule #
gule.cps em gmail.com
Quinta Julho 26 16:52:58 BRT 2007
Falha minha em não ver o seu rc.conf .
Quando o servidor é inicializado, o que aparece em /var/log/pflog ?
Só por segurança, experimente comentar a linha pf_flags=""
On 7/26/07, Marcos Vinicius Buzo <annihil4tor em gmail.com> wrote:
> Mto obrigado pela resposta Gule.
>
> 1. Sim, já está no rc.conf, como coloquei no e-mail.
> 2. Não, o link é ip estático. E também não há algum tipo de vpn.
>
>
>
> On 7/26/07, Gule # <gule.cps em gmail.com> wrote:
> > Caro Marcos;
> >
> > Se você consegue fazer as regras carregarem logo após o boot, o
> > problema não esta no arquivo de regras, e sim no de inicialização.
> > Duas perguntas básicas:
> >
> > 1 - Setou a flag de regras no rc.conf?
> > pf_rules="/etc/pf.conf"
> >
> > 2 - Seu link é autenticado via ppp ?
> >
> >
> > On 7/26/07, Marcos Vinicius Buzo <annihil4tor em gmail.com> wrote:
> > > Boa tarde pessoal, td blz ?
> > > Estou com um problema com o pf, com certeza fiz algo de errado, mas
> > > não consigo encontrar meu erro. As regras do pf não estão carregando
> > > no boot, só carregam se eu der um pfctl -f /etc/pf.conf ou
> > > /etc/rc.d/pf start
> > >
> > > Aqui estão minhas linhas do arquivo /etc/rc.conf referentes ao pf:
> > > pf_enable="YES" # Enable PF (load module if required)
> > > pf_rules="/etc/pf.conf" # rules definition file for pf
> > > pf_flags="" # additional flags for pfctl startup
> > > pflog_enable="YES" # start pflogd(8)
> > > pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
> > > pflog_flags="" # additional flags for pflogd startup
> > >
> > > Aqui está meu pf.conf:
> > >
> > > ############## MACROS ############################
> > > ##################################################
> > >
> > > #Interface WAN
> > > ext_if = "rl0"
> > > ext_ip = "200.xxx.xxx.106"
> > >
> > > #Interface LAN
> > > int_if = "sk0"
> > > int_ip = "10.xxx.xxx.31"
> > > int_net = "10.xxx.xxx.0/24"
> > >
> > > #Interface LAN - VOIP
> > > voip_if = "rl1"
> > > voip_ip = "192.xxx.xxx.254"
> > > voip_net = "192.xxx.xxx.0/24"
> > >
> > > #Computadores da Rede
> > > dataserver_ip = "10.xxx.xxx.100"
> > > ata_ip = "192.xxx.xxx.2"
> > >
> > > #Ips
> > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> > >
> > > #Portas
> > > ssh_intport = "2222"
> > > ssh_extport = "110"
> > > ##################################################
> > >
> > > set loginterface $ext_if
> > >
> > > ############## NORMALIZACAO DE PACOTES ###########
> > > ##################################################
> > >
> > > scrub in all
> > >
> > > ##################################################
> > >
> > > ############## ALTQ #############################
> > > #################################################
> > > altq on $ext_if hfsc bandwidth 100% queue ext_up
> > > queue ext_up bandwidth 300Kb {out_voip, out_ssh, out_email, out_others}
> > > queue out_voip bandwidth 50% hfsc(realtime 128Kb)
> > > queue out_ssh bandwidth 15% hfsc(realtime 32Kb)
> > > queue out_email bandwidth 10% hfsc(upperlimit 128Kb)
> > > queue out_others bandwidth 25% hfsc(default)
> > >
> > > ############## NAT ###########################
> > > ##############################################
> > >
> > > #NAT - LAN -> WAN
> > > nat on $ext_if from $int_net to any -> ($ext_if)
> > >
> > > #NAT - LAN -> VOIP
> > > nat on $ext_if from $voip_net to any -> ($ext_if)
> > >
> > > ##############################################
> > >
> > > ############ RDR #############################
> > > ##############################################
> > >
> > > #RDR - FTP Rede Interna -> FTP-proxy
> > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > > rdr on $int_if proto tcp from any to any port 778 -> 127.0.0.1 port 8021
> > >
> > > #RDR - FTP p/ Atualizacoes
> > > #rdr on $ext_if proto tcp from any to $ext_ip port 15000 ->
> > > $dataserver_ip port 21
> > >
> > > #RDR - VPN dataserver
> > > rdr on $ext_if proto tcp from any to $ext_ip port 1194 -> $dataserver_ip
> > >
> > > #RDR - ATA/Configuracao/Temporario
> > > rdr on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 5555 ->
> > > $ata_ip port 80
> > >
> > > ##################################################
> > >
> > >
> > > ############## FILTROS ###########################
> > > ##################################################
> > >
> > > #BLOQUEIA TRAFEGO EM TODAS INTERFACES
> > > block all
> > >
> > > #LIBERA LOOPBACK
> > > pass quick on lo0 all keep state
> > >
> > > #LIBERA SAIDA EM TODAS INTERFACES E MARCA ESTADO DE CONEXAO
> > > pass out all keep state
> > >
> > > #SERVICO - SSH - WAN/LAN
> > > pass in on $ext_if proto tcp from any to $ext_ip port $ssh_extport
> > > keep state queue out_ssh
> > > pass in on $int_if proto tcp from $int_net to $int_ip port
> > > $ssh_intport keep state
> > >
> > > #SERVICO - NTOP - LAN/WAN(IP PRIVADO)
> > > pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 3000
> > > keep state
> > > pass in on $int_if proto tcp from $int_net to $int_ip port 3000 keep state
> > >
> > > # pass incoming ports for ftp-proxy
> > > pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
> > > pass in on $int_if inet proto tcp from any to any user proxy keep state
> > >
> > > #SERVICO - OpenVPN - WAN -> dataserver
> > > pass in on $ext_if proto tcp from any to $dataserver_ip port 1194 keep state
> > >
> > > #LIBERA TUDO p/ REDE VOIP
> > > pass in on $voip_if from $voip_net to any keep state queue out_voip
> > > pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ata_ip port 80 keep state
> > >
> > > #LIBERA TUDO p/ DIRETOR
> > > pass in on $int_if from 10.xxx.xxx.99 to any keep state
> > >
> > > #LIBERA VONO p/ REDE INTERNA
> > > pass in on $int_if from $int_net to 201.xxx.xxx.5 keep state queue out_voip
> > >
> > > #LIBERA RSYNC p/ Servidor de dados
> > > pass in on $int_if proto {tcp,udp} from $dataserver_ip to any port 873
> > > keep state
> > >
> > > #LIBERA ICMP p/ REDE INTERNA
> > > pass in on $int_if proto icmp from $int_net to any keep state
> > >
> > > #LIBERA FTP p/ REDE INTERNA
> > > pass in on $int_if proto tcp from $int_net to 127.0.0.1 port 8021 keep state
> > > pass in on $int_if proto tcp from $int_net to any port 21 keep state
> > > pass in on $ext_if proto tcp from any to any port ftp-data user proxy keep state
> > >
> > > #LIBERA SISTEMAS p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port {778,
> > > 779, 4606, 3007, 8017} keep state
> > > pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
> > >
> > > #LIBERA CAT p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port 5017 keep state
> > >
> > > #LIBERA NTP p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port {123,
> > > 563} keep state
> > >
> > > #LIBERA DNS p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port 53 keep state
> > >
> > > #LIBERA EMAIL p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port 25 keep
> > > state queue out_email
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port 110 keep state
> > >
> > > #LIBERA MSN p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port 1863 keep state
> > >
> > > #LIBERA HTTP p/ REDE INTERNA
> > > pass in on $int_if proto {tcp,udp} from $int_net to any port {80,443} keep state
> > >
> > > #LIBERA RECEITANET p/ REDE INTERNA
> > > pass in on $int_if proto tcp from $int_net to any port 3456 keep state
> > >
> > > #LIBERA CONECTIVIDADE SOCIAL p/ REDE INTERNA
> > > pass in on $int_if proto tcp from $int_net to any port 2631 keep state
> > >
> > > #LIBERA IP Sistema do diretor
> > > pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
> > >
> > > #BLOQUEIA IPS PRIVADOS NA INTERFACE EXTERNA
> > > block drop in quick on $ext_if from $priv_nets to any
> > > block drop out quick on $ext_if from any to $priv_nets
> > >
> > >
> > > Qualquer ajuda será bem-vinda.
> > > Obrigado.
> > > -------------------------
> > > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> > >
> > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd