[FUG-BR] Problema com o pf
Mario Lobo
lobo em bsd.com.br
Sábado Julho 10 07:06:27 BRT 2010
Ola pessoal.
Eu sei que tem muita gente craque em pf por aqui.
Eu fiz este pf.conf baseado nos muitos e muitos exemplos que consegui achar na
net (inclusive aqui na lista) e adaptando para as minhas necessidades.
Ele é meio longo por isso coloquei ele no final.
Tudo Funciona!. VPN de fora pra dentro e vice-versa, SSH, roteamento,
navegação, bloqueios, tudo !
O problema é que apenas o rdr do ssh (lo0) e o do ftp estão funcionando.
Nenhum dos outros funciona !
Tentando acessar o servidor interno https por ex., eu vejo a seguinte saida de
tcpdump -n -e -ttt -s 256 -i pflog0 :
00:00:00.000000 rule 21/0(match): pass in on sis0: 189.70.214.63.54429 >
172.16.3.135.443: Flags [S], seq 2411890221, win 65535, options [mss
1440,nop,wscale 4,sackOK,TS val 12824091 ecr 0], length 0
00:00:00.000071 rule 27/0(match): pass out on dc0: 189.70.214.63.54429 >
172.16.3.135.443: Flags [S], seq 2411890221, win 65535, options [mss
1440,nop,wscale 4,sackOK,TS val 2357217445 ecr 0], length 0
e fica nisso !. Nenhum block aparece, a conexão não completa e o browser dá
timeout.
No entanto, fazendo via vpn, ela fecha rapidinho, e eu acesso o servidor
direto por ela:
00:00:32.268808 rule 17/0(match): pass in on sis0: 189.70.214.63.55888 >
x.y.z.w.1723: Flags [S]
00:00:00.133998 rule 0/0(match): pass out on lo0: 189.70.214.63.55888 >
x.y.z.w.1723: Flags [S]
00:00:00.000047 rule 0/0(match): pass in on lo0: 189.70.214.63.55888 >
x.y.z.w.1723: Flags [S]
00:00:00.416092 rule 87/0(match): pass out on sis0: x.y.z.w.9594 >
200.255.255.65.53:
00:00:00.020566 rule 16/0(match): pass in on sis0: 189.70.214.63 > x.y.z.w:
GREv1, call 5504, seq 0, proto PPP (0x880b)
00:00:00.076102 rule 78/0(match): pass out on dc0: 172.16.3.150.25793 >
172.16.3.133.1812: RADIUS, Access Request
00:00:00.076784 rule 78/0(match): pass out on dc0: 172.16.3.150.28900 >
172.16.3.133.1813: RADIUS, Accounting Request
# ja acessando pela vpn
00:00:07.015407 rule 1/0(match): pass in on tun0: 172.16.3.237.60733 >
172.16.3.135.443: Flags [S], seq 3902572411, win 65535, options [mss
1256,nop,wscale 4,sackOK,TS val 13013947 ecr 0], length 0
00:00:00.000075 rule 27/0(match): pass out on dc0: 172.16.3.237.60733 >
172.16.3.135.443: Flags [S],
E eu PRECISO acessar estes servicos de fora de todo jeito!. Já estou ha dias
tentando e mexendo sem sucesso.
Eu até pensei no IPFW mas eu já to acostumado com o pf e eu não saberia
adaptar estas regras. Seria uma engenharia acima da minha capacidade.
Agradeço de coração àqueles que puderem me ajudar.
Abraços,
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winfoes FREE)
sysctl.conf ================================================================
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
debug.cpufreq.lowest=400
vfs.read_max=32
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.maxvnodes=200000
kern.ipc.shmmax=67108864
kern.ipc.shmall=16384
kern.ipc.maxsockets=204800
kern.ipc.maxsockbuf=262144
kern.ipc.somaxconn=4096
net.link.ether.inet.proxyall=1
net.inet.tcp.rfc1323=1
net.inet.tcp.drop_synfin=1
net.inet.ip.fastforwarding=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.intr_queue_maxlen=1000
net.inet.ip.dummynet.hash_size=256
net.inet.icmp.drop_redirect=1
net.inet.icmp.icmplim=800
net.inet.icmp.icmplim_output=0
pf.conf ======================================================================
### Interfaces ###
vpn_if="tun"
ext_if="sis0"
aln_if="dc0"
lab_if="vr0"
prm_if="rl0"
my_int_ip = "172.16.3.150"
my_ext_ip = "x.y.z.w"
### Networks ###
int_nets = "{ 172.16.3.0/24, 192.168.0.1/24, 10.10.10.0/24 }"
### Hosts ###
# Users
mario = "172.16.3.12"
izabel = "172.16.3.38"
cecilia = "172.16.3.56"
viniciusT= "172.16.3.250"
# Servers
srecallen01= "172.16.3.130"
ad_dns = "172.16.3.133"
sql_server = "172.16.3.134"
exchange = "172.16.3.135"
endpoint = "172.16.3.137"
srecallen02= "172.16.3.140"
quarentena = "172.16.3.141"
file_server= "172.16.3.142"
wsus = "172.16.3.143"
changepoint= "172.16.3.144"
vrecfbsd = "172.16.3.145"
recife = "172.16.3.1"
bonito = "172.16.3.2"
olinda = "172.16.3.3"
camera1 = "172.16.3.198"
camera2 = "172.16.3.199"
# Groups
table <cameras> const { 172.16.3.198, 172.16.3.199 }
table <hiperdot> const { 172.16.3.41, 172.16.3.58 }
table <livres> const { $mario, $izabel, $cecilia, $viniciusT }
# Non-public/weird addresses, doesn't include our 10.10.10.x,172.16.3.x,
# 192.168.0.x subnets, anything in here shouldn't be going anywhere
table <banned> { 0.0.0.0/8, 169.254.0.0/16, 224.0.0.0/3, 204.152.64.0/23 }
# Services that listen only at 127.0.0.1
FtpPort = "8021"
SshPort = "5952"
# Allowed ports
Allow_tcp_ports_aln = "{53, 80, 443, 143, 445, 1433, 1863, 110, 3000, 5061,
1723, 3389, 135, 25}"
Allow_tcp_ports_lab = "{53, 80, 443}"
Allow_tcp_ports_prm = "{53, 80, 443}"
Allow_udp_ports_aln = "{53, 500}"
Allow_udp_ports_lab = "{53, 500}"
Allow_udp_ports_prm = "{53, 500}"
################[ Options ]###################################
### most of these default are fine
# We want to sent ICMP RST or unreachable
set block-policy drop
# Bind states to interfaces so we can have a queue for each interface
set state-policy if-bound
set ruleset-optimization none
set require-order yes
set loginterface $ext_if
# set fingerprints "/etc/pf.os"
# set optimization aggressive
set optimization normal
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
################[ Normalization ]#############################
### reassemble fragments and resolve or reduce traffic ambiguities.
scrub on $ext_if all random-id min-ttl 254 max-mss 1472 reassemble tcp
fragment reassemble
scrub on $aln_if all random-id reassemble tcp fragment reassemble
scrub on $lab_if all random-id reassemble tcp fragment reassemble
scrub on $prm_if all random-id reassemble tcp fragment reassemble
# Don't normalize traffic on the loopback
################[ Queueing ]##################################
### download queues
altq on $aln_if bandwidth 100Mb hfsc queue { ether_aln, nattraffic_aln }
# Ethernet traffic
queue ether_aln hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0
queue nattraffic_aln hfsc ( upperlimit 400Kb ) bandwidth 420Kb {
toint_pri_aln, toint_def_aln }
queue toint_pri_aln qlimit 10 hfsc ( red, realtime 35%, linkshare 50% )
priority 4 bandwidth 70%
queue toint_def_aln qlimit 10 hfsc ( red, realtime 15%, linkshare 30% )
priority 3 bandwidth 20%
altq on $lab_if bandwidth 100Mb hfsc queue { ether_lab, nattraffic_lab }
# Ethernet traffic
queue ether_lab hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0
queue nattraffic_lab hfsc ( upperlimit 400Kb ) bandwidth 420Kb {
toint_pri_lab, toint_def_lab }
queue toint_pri_lab qlimit 10 hfsc ( red, realtime 35%, linkshare 50% )
priority 4 bandwidth 70%
queue toint_def_lab qlimit 10 hfsc ( red, realtime 15%, linkshare 30% )
priority 3 bandwidth 20%
altq on $prm_if bandwidth 100Mb hfsc queue { ether_prm, nattraffic_prm }
# Ethernet traffic
queue ether_prm hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0
queue nattraffic_prm hfsc ( upperlimit 400Kb ) bandwidth 420Kb {
toint_pri_prm, toint_def_prm }
queue toint_pri_prm qlimit 10 hfsc ( red, realtime 35%, linkshare 50% )
priority 4 bandwidth 70%
queue toint_def_prm qlimit 10 hfsc ( red, realtime 15%, linkshare 30% )
priority 3 bandwidth 20%
### upload queue
# External interface, stuff which goes out on this interface has 1024Kb
bandwidth
altq on $ext_if hfsc ( upperlimit 900Kb ) bandwidth 990Kb queue {
fromint_pri, fromint_def, server, fromint_ack }
# From others
queue fromint_pri hfsc ( realtime 360Kb ) bandwidth 10%
queue fromint_def hfsc ( realtime 180Kb ) bandwidth 10%
# To the server from external
queue server hfsc ( default ) bandwidth 10%
# TCP ACK packets, saying we've got a packet, we have to get these off
asap
queue fromint_ack hfsc ( realtime 5Kb ) bandwidth 10% priority 7
################[ Translation ]###############################
### specify how addresses are to be mapped or redirected.
nat on $ext_if from { $aln_if:network, $lab_if:network, $prm_if:network } to
any -> ($ext_if:0) port 1024:65535
# ssh
rdr on $ext_if inet proto tcp from any to ($ext_if) port $SshPort -> lo0
port $SshPort
rdr on $aln_if inet proto tcp from any to $aln_if port $SshPort -> lo0
port $SshPort
# Allen Hosts
# mail /owa
rdr on $ext_if inet proto tcp from any to ($ext_if) port smtp -> $exchange
port smtp
rdr on $ext_if inet proto tcp from any to ($ext_if) port https -> $exchange
port https
# changepoint
rdr pass on $ext_if inet proto tcp rom any to ($ext_if) port http -> $olinda
port http
rdr on $ext_if inet proto tcp from any to ($ext_if) port 444 -> $olinda
port 444
# cameras
rdr on $ext_if inet proto tcp from any to ($ext_if) port 81 -> $camera1 port
81
rdr on $ext_if inet proto tcp from any to ($ext_if) port 82 -> $camera2 port
82
# ftp
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $aln_if inet proto tcp from $aln_if:network to any port ftp -> lo0
port $FtpPort
rdr on $lab_if inet proto tcp from $lab_if:network to any port ftp -> lo0
port $FtpPort
rdr on $prm_if inet proto tcp from $prm_if:network to any port ftp -> lo0
port $FtpPort
################[ Filtering ]#################################
pass log quick on lo0 all
pass log quick on $vpn_if all keep state
# no traffic is trying to get into the loopback interface from outside.
# block quick from any to lo0:network
#--- Making sure all traffic is coming to/going from the right interface
# Make sure no banned addresses are around
block log quick from <banned> to any
block log quick from any to <banned>
# all traffic to/from the internal network is addressed to/from the internal
# network
block in log on $aln_if from !$aln_if:network to any
block out log on $aln_if from any to !$aln_if:network
block in log on $lab_if from !$lab_if:network to any
block out log on $lab_if from any to !$lab_if:network
block in log on $prm_if from !$prm_if:network to any
block out log on $prm_if from any to !$prm_if:network
# all traffic to/from the external network is addressed to/from our external
# address specifically
block in log on $ext_if from any to !($ext_if)
block out log on $ext_if from !($ext_if) to any
block in log quick from no-route to any
block in log quick on $ext_if from urpf-failed to any
block in log quick on $ext_if from any to 255.255.255.255
# <<< INPUT >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# from INTERNET
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-
type 8 code 0 keep state
# vpn
pass in log quick on $ext_if inet proto gre all keep state queue ( server,
fromint_ack )
pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port
pptp flags S/SAFR synproxy state queue ( server, fromint_ack )
# redirects from outside ---------------------------------------------------
pass in log quick on $ext_if inet proto tcp from any to lo0 port
$SshPort flags S/SAFR synproxy state (max 30, source-track rule, max-src-nodes
10, max-src-states 2, max-src-conn 2, max-src-conn-rate 2/60, overload
<banned>) queue ( server, fromint_ack )
pass in log on $ext_if inet proto tcp from any to $exchange port
smtp flags S/SAFR synproxy state (max 100, source-track rule, max-src-states
5, max-src-nodes 30, max-src-conn-rate 10/300, overload <banned> flush
global, tcp.established 45) queue ( server, fromint_ack )
pass in log on $ext_if inet proto tcp from any to $olinda port http
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
pass in log quick on $ext_if inet proto tcp from any to $exchange port 443
flags S/SA keep state (max 9000, source-track rule, max-src-conn 2000, max-
src-nodes 254) queue ( server, fromint_ack )
pass in log on $ext_if inet proto tcp from any to $olinda port 444
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
pass in log on $ext_if inet proto tcp from any to $camera1 port 81
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
pass in log on $ext_if inet proto tcp from any to $camera2 port 82
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
#---------------------------------------------------------------------
pass out log on $aln_if inet proto tcp from any to $exchange port
smtp flags S/SAFR synproxy state (max 100, source-track rule, max-src-states
5, max-src-nodes 30, max-src-conn-rate 10/300, overload <banned> flush
global, tcp.established 45) queue ( server, fromint_ack )
pass out log on $aln_if inet proto tcp from any to $olinda port
http flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes
50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue
( server, fromint_ack )
pass out log quick on $aln_if inet proto tcp from any to $exchange port 443
flags S/SA keep state (max 1000, source-track rule, max-src-nodes 50, max-src-
states 30, max-src-conn 30, overload <banned> flush global) queue ether_aln
pass out log on $aln_if inet proto tcp from any to $olinda port 444
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
pass out log on $aln_if inet proto tcp from any to $camera1 port 81
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
pass out log on $aln_if inet proto tcp from any to $camera2 port 82
flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50,
max-src-states 30, max-src-conn 30, overload <banned> flush global) queue (
server, fromint_ack )
# from LAN
pass in log quick on $aln_if proto tcp from any to lo0 port $SshPort flags
S/SAFR synproxy state (max 20, source-track rule, max-src-nodes 2, max-src-
states 10) queue ether_aln
# pass in log quick on $aln_if proto tcp from any to lo0 port 3128 flags
S/SAFR synproxy state (max 2000, source-track rule, max-src-nodes 20, max-src-
states 100) queue ether_aln
# <<< FORWARD >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#--- Let out NAT traffic from the internal network to the internet
pass in log quick on $aln_if from $my_int_ip to !$aln_if
keep state tag fromint_pri queue ( toint_pri_aln )
pass in log quick on $lab_if from 192.168.0.1 to !$lab_if
keep state tag fromint_pri queue ( toint_pri_lab )
pass in log quick on $prm_if from 10.10.10.1 to !$prm_if
keep state tag fromint_pri queue ( toint_pri_prm )
pass in log quick on $aln_if inet proto gre all
keep state tag fromint_pri queue ( toint_pri_aln )
pass in log quick on $aln_if inet proto tcp from $aln_if:network to !
$aln_if port $Allow_tcp_ports_aln keep state tag fromint_def queue (
toint_def_aln )
pass in log quick on $lab_if inet proto tcp from $lab_if:network to !
$lab_if port $Allow_tcp_ports_lab keep state tag fromint_def queue (
toint_def_lab )
pass in log quick on $prm_if inet proto tcp from $prm_if:network to !
$prm_if port $Allow_tcp_ports_prm keep state tag fromint_def queue (
toint_def_prm )
pass in log quick on $aln_if inet proto udp from $aln_if:network to !
$aln_if port $Allow_udp_ports_aln keep state tag fromint_def queue (
toint_def_aln )
pass in log quick on $lab_if inet proto udp from $lab_if:network to !
$lab_if port $Allow_udp_ports_lab keep state tag fromint_def queue (
toint_def_lab )
pass in log quick on $prm_if inet proto udp from $prm_if:network to !
$prm_if port $Allow_udp_ports_prm keep state tag fromint_def queue (
toint_def_prm )
pass in log on $aln_if inet proto icmp from $aln_if:network to !
$aln_if icmp-type 8 code 0 keep state tag fromint_def
pass in log on $lab_if inet proto icmp from $lab_if:network to !
$lab_if icmp-type 8 code 0 keep state tag fromint_def
pass in log on $prm_if inet proto icmp from $prm_if:network to !
$prm_if icmp-type 8 code 0 keep state tag fromint_def
# We have to create a state on the external interface for traffic that has
# been passed, so that we can create an upload queue.
pass out log quick on $ext_if tagged fromint_pri keep state queue (
fromint_pri, fromint_ack )
pass out log quick on $ext_if tagged fromint_def keep state queue (
fromint_def, fromint_ack )
# <<< OUTPUT >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#--- Don't let restricted users initiate their own connections
block out log quick from any to any user { www, nobody, games, news, man,
smmsp, mailnull, pop, uucp, bind }
#--- Allow networks to see themselves
pass log quick on $aln_if inet proto { tcp, udp, icmp } from
$aln_if:network to $aln_if:network keep state queue ether_aln
pass log quick on $lab_if inet proto { tcp, udp, icmp } from
$lab_if:network to $lab_if:network keep state queue ether_lab
pass log quick on $prm_if inet proto { tcp, udp, icmp } from
$prm_if:network to $prm_if:network keep state queue ether_prm
#--- Allow connections from this server
pass log quick on $ext_if inet proto { tcp, udp, icmp } from $my_ext_ip
to any keep state queue ( server, fromint_ack )
pass log quick on $aln_if inet proto { tcp, udp, icmp } from $my_int_ip
to any keep state queue ( toint_pri_aln )
pass log quick on $lab_if inet proto { tcp, udp, icmp } from 192.168.0.1
to any keep state queue ( toint_pri_lab )
pass log quick on $prm_if inet proto { tcp, udp, icmp } from 10.10.10.1
to any keep state queue ( toint_pri_prm )
block log all
==============================================================================
Mais detalhes sobre a lista de discussão freebsd