[FUG-BR] 1 link de internet para cada rede interna.
Bruno Torres Viana
btviana em gmail.com
Quinta Junho 2 10:31:56 BRT 2011
Mario,
Aparentemente olhando bem rápido não vejo nada de errado, mas eu utilizo
outra prática.
Para block
block log all
Para as regras de direcionar tráfego para um ou outro link
pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from any
to any port 5050 keep state
pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
any to any port 5050 keep state
Abraço!
Em 2 de junho de 2011 10:17, Mario Lobo <lobo em bsd.com.br> escreveu:
> Bom dia a todos;
>
> Terei em breve a seguinte situação:
>
> 1 link de 1M para a rede interna 10.10.10.x
> 1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x
>
> Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
> Uma placa de rede para cada rede interna e uma para cada link de internet
> (5
> total).
>
> Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o 2o
> link ainda não está instalado. Gostaria
> do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
> etc... O default router do FreeBSD é o link de 2M.
>
> FBSD 8.2-STABLE
>
>
> ### pf.conf
>
> ################[ Macros ]####################################
>
> ### Interfaces ###
>
> ifext_1M="sis0"
> gwip_1M="xx.xx.xx.xx"
>
> ifext_2M="rl1"
> gwip_2M="yy.yy.yy.yy"
>
> ### Network ifs ###
>
> ifint_aln="dc0"
> ifint_lab="vr0"
> ifint_enc="rl0"
>
> ### Networks ###
>
> rede_1M="10.10.10.0/24"
> rede_2Ma="192.168.0.0/24"
> rede_2Mb="172.16.3.0/24"
>
> ################[ Queueing ]##################################
>
> ################[ Translation ]###############################
>
> ### NAT
>
> nat on $ifext_1M from $ifint_enc:network to any -> $ifext_1M port
> 1024:65535
> nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any ->
> $ifext_2M port 1024:65535
>
> ### RDR
>
> no rdr on lo0 from any to any
>
> # FW Servers -----------------------------------
>
> # mail /owa
> rdr on $ifext_2M inet proto tcp to port smtp -> $brightmail port smtp
> rdr on $ifext_2M inet proto tcp to port https -> $exchange port https
>
> # DENY rouge redirections
> no rdr
>
> ################[ Filtering ]#################################
>
> ### unconditional passes
>
> pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
> $ifint_aln:network to $ifint_aln:network
> pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
> $ifint_lab:network to $ifint_lab:network
> pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
> $ifint_enc:network to $ifint_enc:network
>
> # allow lab to see DNS
> pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
> $ifint_lab:network to $ad_dns
>
> # route enc network - no restrictions
> pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
> $ifint_enc:network to !$ifint_enc keep state
> # From gateway -----------------
> pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc
> to any keep state
>
> ### Quick blocks
>
> block in on $ifext_1M inet from any to !($ifext_1M)
> block in on $ifext_2M inet from any to !($ifext_2M)
>
> # Ftp ( secure ftp-proxy )
> anchor "ftp-proxy/*"
>
> ### Allowances
>
> # From LAB
> -------------------------------------------------------------------
>
> pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
> pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
> pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
> icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
> timex, unreach }
>
> pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
> state
>
> # From gateway -----------------
> pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
> $ifint_lab to any keep state
>
>
> # From ALN
> -------------------------------------------------------------------
>
> pass in quick on $ifint_aln inet proto tcp from any to lo0 port $SshPort
> flags S/SA keep state (max 20, source-track rule, max-src-nodes 2,
> max-src-states 10)
> pass in quick on $ifint_aln inet proto tcp from any to lo0 port $FtpPort
> flags S/SA keep state (max 250, source-track rule, max-src-conn 100,
> max-src-nodes 254, max-src-conn-rate 75/20)
>
> pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> tcp from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln flags
> S/SA modulate state
> pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> tcp from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln keep
> state
> pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
> icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq,
> timex, unreach } keep state
>
> # To Servers ------------------
> pass out quick on $ifint_aln inet proto tcp from any to $brightmail port
> smtp flags S/SA modulate state (max 100, source-track rule, max-src-nodes
> 30, max-src-states 5, max-src-conn-rate 10/300, overload <banned> flush
> global, tcp.established 45)
> pass out quick on $ifint_aln inet proto tcp from any to $exchange port
> 443 flags S/SA modulate state
> pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008 port
> 21 flags S/SA modulate state
>
> # From gateway -----------------
> pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from
> $ifint_aln to any keep state
>
> ## fin pf.conf
>
>
> Obrigado pela atenção;
>
> --
> Mario Lobo
> http://www.mallavoodoo.com.br
> FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes FREE)
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
--
___________________________
Bruno Torres Viana
Consultor em TI
Celular: (27) 8823-0751
SKYPE/MSN: btorres_viana
Todos nós somos ignorantes, porém em assuntos diferentes. Não seja ignorante
por opção!
Mais detalhes sobre a lista de discussão freebsd