Segue minhas regras
#!/bin/sh ######################## #ARQUIVO DE LIBERACAO DE ACESSO #PARA CLIENTES COM IP PUBLICO ########################## ############ # Set quiet mode if requested # #case ${firewall_quiet} in #[Yy][Ee][Ss]) # fwcmd="/sbin/ipfw -q" # ;; #*) # fwcmd="/sbin/ipfw" # ;; #esac fwcmd="/sbin/ipfw" # Apaga regras anteriores #${fwcmd} -f flush ################### # Regras ###### ############################# ## DENY - # 1000 ~ 1400 = 400 # ############################# # Bloquear pacotes Netbios TCP #1000 - 1002 ${fwcmd} add 1000 deny tcp from any 137 to any ${fwcmd} add 1000 deny tcp from any to any 137 ${fwcmd} add 1001 deny tcp from any 138 to any ${fwcmd} add 1001 deny tcp from any to any 138 ${fwcmd} add 1002 deny tcp from any 139 to any ${fwcmd} add 1002 deny tcp from any to any 139 # Bloquear pacotes Netbios UDP #1003 - 1005 ${fwcmd} add 1003 deny udp from any 137 to any ${fwcmd} add 1003 deny udp from any to any 137 ${fwcmd} add 1004 deny udp from any 138 to any ${fwcmd} add 1004 deny udp from any to any 138 ${fwcmd} add 1005 deny udp from any 139 to any ${fwcmd} add 1005 deny udp from any to any 139 # SQUID PROXY ${fwcmd} add 17500 fwd 127.0.0.1,3128 tcp from 200.x.x.0:255.255.255.0 to any www # Dhcpd ${fwcmd} add 2030 allow tcp from any to any 67 ${fwcmd} add 2030 allow tcp from any 67 to any ${fwcmd} add 2031 allow tcp from any to any 68 ${fwcmd} add 2031 allow tcp from any 68 to any ############################################# # REGRAS DE IP PUBLICO # 2400 ~ 2900 = 500 # ############################################# #cliente 1 ${fwcmd} 2500 add pipe 2500 all from 200.x.x.2 to any out ${fwcmd} pipe 2500 config bw 256Kbit/s queue 32kbytes ${fwcmd} 2501 add pipe 2501 all from any to 200.x.x.2 in ${fwcmd} pipe 2501 config bw 256Kbit/s queue 32kbytes ${fwcmd} add 2502 allow ip from any to 200.x.x.2 ${fwcmd} add 2502 allow ip from 200.x.x.2 to any #cliente 2 ${fwcmd} 2503 add pipe 2503 all from 200.x.x.3 to any out ${fwcmd} pipe 2503 config bw 512Kbit/s queue 64bytes ${fwcmd} 2504 add pipe 2504 all from any to 200.x.x.3 in ${fwcmd} pipe 2504 config bw 512Kbit/s queue 64kbytes ${fwcmd} add 2505 allow ip from any to 200.x.x.3 ${fwcmd} add 2505 allow ip from 200.x.x.3 to any #cliente 3 ${fwcmd} 2506 add pipe 2506 all from 200.x.x.4 to any out ${fwcmd} pipe 2506 config bw 128Kbit/s queue 16kbytes ${fwcmd} 2507 add pipe 2507 all from any to 200.x.x.4 in ${fwcmd} pipe 2507 config bw 128Kbit/s queue 16kbytes ${fwcmd} add 2508 allow ip from any to 200.x.x.4 ${fwcmd} add 2508 allow ip from 200.x.x.4 any resto dos clientes # bloqueio da rede 200.x.x.1 ${fwcmd} add 2900 deny ip from any to 200.x.x.1//27 ######################################################## # LIBERACAO DE ALGUNS SERVICOS # 17500 ~ 17900 = 400 # ######################################################## # LIBERA PING #18000 ${fwcmd} add 18000 pass icmp from any to any Há algo errado ?? Sds Em 26/07/08, Welkson Renny de Medeiros <[EMAIL PROTECTED]> escreveu: > > Cara, > > > Hoje só uso proxy transparente pelo PF... mas me recordo de ter visto falar > que tem que colocar uma sequência a seguir, não lembro se o PIPE fica antes > do FWD, ou o contrário... posta suas regras. > > Welkson > > > ----- Original Message ----- > From: "sky priest" <[EMAIL PROTECTED]> > To: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)" > <freebsd@fug.com.br> > Sent: Saturday, July 26, 2008 2:01 AM > Subject: Re: [FUG-BR] Ajuda com DUMMYNET (RESOLVIDO) > > > Tenho o mesmo problema Denis, e até hoje nao consegui. > > Quando direciono para o squid para o controle de upload, sera que alguem ja > passou por isso??? E o que voce fez ja resolveu ?? > > Sds > Sky > > > Em 24/07/08, Denis Granato <[EMAIL PROTECTED]> escreveu: > > > > mas e quando adicionou a regra para o squid, eu tinha o problema de > > nao controlar mais o UP, > > desse jeito funciona? > > > > 2008/7/24 Welkson Renny de Medeiros <[EMAIL PROTECTED]>: > > > Pessoal, > > > > > > > > > Acabei achando um material com uns exemplos e resolvi o problema. > > > > > > Segue o link do material: > > > http://posredes.catolica-to.edu.br/downloads/ipfw.pdf > > > > > > Segue as regras: > > > > > > ### LIMITANDO DOWNLOAD/UPLOAD / DISTRIBUIDOR ### > > > ipfw pipe 70 config bw 100Kbit/s queue 10Kbytes > > > ipfw pipe 71 config bw 100Kbit/s queue 10Kbytes > > > ipfw add 70 pipe 70 ip from any to 192.168.1.198/32 out via vr1 > > > ipfw add 71 pipe 71 ip from 192.168.1.198/32 to any in via vr1 > > > > > > # dica para analisar somente um ip com iftop: > > > iftop -P -m 200000 -i vr1 -N -F 192.168.1.198/32 > > > > > > Fica aí as dicas para o histórico. > > > > > > Abraço, > > > > > > Welkson Renny > > > > > > > > > ----- Original Message ----- > > > From: "Welkson Renny de Medeiros" <[EMAIL PROTECTED]> > > > To: <freebsd@fug.com.br> > > > Sent: Thursday, July 24, 2008 8:36 AM > > > Subject: [FUG-BR] Ajuda com DUMMYNET > > > > > > > > > Pessoal, > > > > > > Ainda "apanho" desses "in/out" do IPFW. Estou tentando LIMITAR o > DOWN/UP > > de > > > um determinado ip a 100kbps. > > > > > > Segue a regra: > > > > > > ### LIMITANDO DOWNLOAD/UPLOAD / DISTRIBUIDOR ### > > > ipfw add pipe 101 ip from 192.168.1.198 to any out via vr1 > > > ipfw add pipe 102 ip from any to 192.168.1.198 in via vr1 > > > ipfw pipe 101 config bw 100Kbit/s > > > ipfw pipe 102 config bw 100Kbit/s > > > > > > > > > # vr1: interface interna > > > # vr0: interface externa > > > > > > Fico acompanhando no iftop mas sempre passa do valor limitado... tenho > > > outras regras de download que limitam perfeitamente... mas upload tá > > > complicado. > > > > > > [EMAIL PROTECTED]:/etc/firewall] # cat /bin/banda-servidor > > > iftop -P -m 200000 -i vr1 -N -F 192.168.1.198/32 > > > > > > Dicas? > > > > > > -- > > > Welkson Renny de Medeiros > > > Focus Automação Comercial > > > Desenvolvimento / Gerência de Redes > > > [EMAIL PROTECTED] > > > > > > > > > > > > Powered by .... > > > > > > (__) > > > \\\'',) > > > \/ \ ^ > > > .\._/_) > > > > > > www.FreeBSD.org > > > > > > ------------------------- > > > Histórico: http://www.fug.com.br/historico/html/freebsd/ > > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > > > > > ------------------------- > > > Histórico: http://www.fug.com.br/historico/html/freebsd/ > > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > > > > ------------------------- > > Histórico: http://www.fug.com.br/historico/html/freebsd/ > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd