[FUG-BR] Firewall com pf no freeBSD 7
Ricardo Augusto de Souza
ricardo.souza em cmtsp.com.br
Segunda Novembro 3 17:40:34 BRST 2008
Ola,
sou usuario de openBSD há muitos anos.
Sempre utilizei para firewall.
Recebi uma maquina de uma outra área da minha empresa para eu usar como firewall só que o openbsd nao é compativel com ela. ( maldita controladora Adaptec).
Para resolver este problema, resolvi instalar o FreeBSD nesta maquina q é uma IBM x3550.
Habilitei o pf no rc.conf e recompilei o kernel para usar o altq futuramente.
Já consegui compartilhar a internet para minha rede local, o problema é que nao consegui rotear / liberar o acesso a rede 10.100.0.0 ( minha rede mpls) para a rede local.
Só que nao consigo pingar nem acessar esta maquina 10.100.0.5 dos clientes que estao usando o freebsd como gateway.
Só para constar: estou achando o freebsd bem mas rapido do que o openbsd.
Segue abaixo os arquivos de conf utilizados.
FW2# cat rc.conf
# -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
# Created: Fri Oct 31 08:57:07 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
ken_securelevel="1"
kern_securelevel_enable="YES"
pf_enable="YES"
defaultrouter="189.xxx.xxx.xxx"
gateway_enable="YES"
hostname="FW2.CMT"
ifconfig_bce0="inet 189.xxx.xxx.3 netmask 255.255.255.248"
ifconfig_bce1="inet 10.10.100.252 netmask 255.255.0.0"
inetd_enable="YES"
keymap="br275.cp850"
linux_enable="YES"
sshd_enable="YES"
FW2#
FW2# cat rc.local
#alias
ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
#rotas
route add 10.100.0.0/24 10.100.1.1
FW2#
FW2# cat pf.conf
# variaveis
ext_if = "bce0"
int_if = "bce1"
cmt_lan = "10.10.0.0/24"
cmt_lan_ti = "10.10.20.0/24"
cmt_lan_callcenter = "10.10.60.0/24"
rede_mpls = " 10.100.0.0/24 "
tcp_out_ports = "{ 53, 80, 443 }"
# run time options
scrub in all
# nat
nat on $ext_if from $cmt_lan to any port $tcp_out_ports tag CMT_LAN -> ($ext_if)
nat on $ext_if from $cmt_lan_ti to any tag CMT_LAN_TI -> ($ext_if)
nat on $ext_if from $cmt_lan_callcenter port $tcp_out_ports to any tag CMT_LAN_CALLCENTER -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $cmt_lan_ti to any port 21 -> \
127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from any to any port 21
pass in on $int_if from any to any modulate state
pass out on $int_if from any to any modulate state
pass out on $ext_if from $ext_if to any modulate state
FW2#
FW2# ping 10.100.0.5
PING 10.100.0.5 (10.100.0.5): 56 data bytes
64 bytes from 10.100.0.5: icmp_seq=0 ttl=126 time=5.250 ms
64 bytes from 10.100.0.5: icmp_seq=1 ttl=126 time=8.325 ms
64 bytes from 10.100.0.5: icmp_seq=2 ttl=126 time=6.169 ms
64 bytes from 10.100.0.5: icmp_seq=3 ttl=126 time=8.943 ms
^C
--- 10.100.0.5 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.250/7.172/8.943/1.514 ms
#
FW2# nc -v 10.100.0.5 80
Connection to 10.100.0.5 80 port [tcp/http] succeeded!
^C
FW2#
FW2# cat sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.ip.random_id=1
net.inet.ip.fastforwarding=1
net.inet.ip.process_options=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2 # blackhole pings, traceroutes, etc.
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.fallback_elf_brand=3
kern.polling.enable=1 # network interface pooling instead interrupt request
kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM
# and prevent it from being paged out to swap
kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1
FW2#
FW2# cat /root/dmesg.txt
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
root em logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (1995.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x10676 Stepping = 6
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0xce33d<SSE3,RSVD2,MON,DS_CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,<b19>>
AMD Features=0x20000000<LM>
AMD Features2=0x1<LAHF>
Cores per package: 4
real memory = 3220992000 (3071 MB)
avail memory = 3146506240 (3000 MB)
ACPI APIC Table: <IBM SERDEFNT>
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
cpu2 (AP): APIC ID: 2
cpu3 (AP): APIC ID: 3
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
hptrr: HPT RocketRAID controller driver v1.1 (Feb 24 2008 19:59:27)
acpi0: <IBM SERDEFNT> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x588-0x58b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
cpu0: <ACPI CPU> on acpi0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
cpu1: <ACPI CPU> on acpi0
p4tcc1: <CPU Frequency Thermal Control> on cpu1
cpu2: <ACPI CPU> on acpi0
p4tcc2: <CPU Frequency Thermal Control> on cpu2
cpu3: <ACPI CPU> on acpi0
p4tcc3: <CPU Frequency Thermal Control> on cpu3
pcib0: <ACPI Host-PCI bridge> on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci16: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 0.0 on pci16
pci17: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 0.0 on pci17
pci19: <ACPI PCI bus> on pcib3
pcib4: <ACPI PCI-PCI bridge> at device 1.0 on pci17
pci18: <ACPI PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> at device 0.3 on pci16
pci20: <ACPI PCI bus> on pcib5
pcib6: <PCI-PCI bridge> at device 3.0 on pci0
pci35: <PCI bus> on pcib6
pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pcib8: <PCI-PCI bridge> at device 5.0 on pci0
pci34: <PCI bus> on pcib8
pcib9: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci3: <ACPI PCI bus> on pcib9
pcib10: <PCI-PCI bridge> at device 0.0 on pci3
pci4: <PCI bus> on pcib10
bce0: <Broadcom NetXtreme II BCM5708 1000Base-T (B2)> mem 0xc8000000-0xc9ffffff irq 18 at device 0.0 on pci4
miibus0: <MII bus> on bce0
brgphy0: <BCM5708C 10/100/1000baseTX PHY> PHY 1 on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
bce0: Ethernet address: 00:1a:64:79:f1:58
bce0: [ITHREAD]
bce0: ASIC (0x57081020); Rev (B2); Bus (PCI-X, 64-bit, 133MHz); F/W (0x04000305); Flags( MFW MSI )
pcib11: <ACPI PCI-PCI bridge> at device 7.0 on pci0
pci2: <ACPI PCI bus> on pcib11
aac0: <IBM ServeRAID-8k> port 0x4000-0x40ff mem 0xcce00000-0xccffffff,0xcafe0000-0xcaffffff irq 17 at device 0.0 on pci2
aac0: New comm. interface enabled
aac0: [ITHREAD]
aac0: ServeRAID 8k-l , aac driver 2.0.0-1
pci0: <base peripheral> at device 8.0 (no driver attached)
pcib12: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci5: <ACPI PCI bus> on pcib12
pcib13: <PCI-PCI bridge> at device 0.0 on pci5
pci6: <PCI bus> on pcib13
bce1: <Broadcom NetXtreme II BCM5708 1000Base-T (B2)> mem 0xce000000-0xcfffffff irq 16 at device 0.0 on pci6
miibus1: <MII bus> on bce1
brgphy1: <BCM5708C 10/100/1000baseTX PHY> PHY 1 on miibus1
brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
bce1: Ethernet address: 00:1a:64:79:f1:5a
bce1: [ITHREAD]
bce1: ASIC (0x57081020); Rev (B2); Bus (PCI-X, 64-bit, 133MHz); F/W (0x04000305); Flags( MFW MSI )
uhci0: <Intel 631XESB/632XESB/3100 USB controller USB-1> port 0x2200-0x221f irq 23 at device 29.0 on pci0
uhci0: [GIANT-LOCKED]
uhci0: [ITHREAD]
usb0: <Intel 631XESB/632XESB/3100 USB controller USB-1> on uhci0
usb0: USB revision 1.0
uhub0: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 631XESB/632XESB/3100 USB controller USB-2> port 0x2600-0x261f irq 22 at device 29.1 on pci0
uhci1: [GIANT-LOCKED]
uhci1: [ITHREAD]
usb1: <Intel 631XESB/632XESB/3100 USB controller USB-2> on uhci1
usb1: USB revision 1.0
uhub1: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 631XESB/632XESB/3100 USB controller USB-3> port 0x2a00-0x2a1f irq 23 at device 29.2 on pci0
uhci2: [GIANT-LOCKED]
uhci2: [ITHREAD]
usb2: <Intel 631XESB/632XESB/3100 USB controller USB-3> on uhci2
usb2: USB revision 1.0
uhub2: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb2
uhub2: 2 ports with 2 removable, self powered
ehci0: <Intel 63XXESB USB 2.0 controller> mem 0xf9000000-0xf90003ff irq 23 at device 29.7 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 63XXESB USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered
pcib14: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci1: <ACPI PCI bus> on pcib14
vgapci0: <VGA-compatible display> port 0x3000-0x30ff mem 0xd0000000-0xd7ffffff,0xdfff0000-0xdfffffff irq 22 at device 1.0 on pci1
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 63XXESB2 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x480-0x48f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
ata1: <ATA channel 1> on atapci0
ata1: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio0: [FILTER]
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcafff,0xcb000-0xcc7ff,0xcc800-0xcdfff,0xce000-0xd2fff pnpid ORM0000 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhub4: <Silitek IBM USB HUB KEYBOARD, class 9/0, rev 1.10/1.00, addr 2> on uhub0
uhub4: 3 ports with 2 removable, bus powered
ukbd0: <Silitek IBM USB HUB KEYBOARD, class 0/0, rev 1.10/1.00, addr 3> on uhub4
kbd2 at ukbd0
Timecounters tick every 1.000 msec
hptrr: no controller detected.
acd0: CDRW <HL-DT-STCD-RW/DVD DRIVE GCC-T10N/1.00> at ata0-master UDMA33
aacd0: <RAID 0 (Stripe)> on aac0
aacd0: 279788MB (573005824 sectors)
SMP: AP CPU #1 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
Trying to mount root from ufs:/dev/aacd0s1a
bce0: link state changed to UP
bce1: link state changed to UP
uhub4: at uhub0 port 2 (addr 2) disconnected
ukbd0: at uhub4 port 1 (addr 3) disconnected
ukbd0: detached
uhub4: detached
FW2#
Mais detalhes sobre a lista de discussão freebsd