Bom dia a todos; Terei em breve a seguinte situação:
1 link de 1M para a rede interna 10.10.10.x 1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x Minha dúvida é como implementar isso. Atualmente uso o pf como firewall Uma placa de rede para cada rede interna e uma para cada link de internet (5 total). Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o 2o link ainda não está instalado. Gostaria do comentário de voces, se est correto meu raciocínio, se tá tudo errado, etc... O default router do FreeBSD é o link de 2M. FBSD 8.2-STABLE ### pf.conf ################[ Macros ]#################################### ### Interfaces ### ifext_1M="sis0" gwip_1M="xx.xx.xx.xx" ifext_2M="rl1" gwip_2M="yy.yy.yy.yy" ### Network ifs ### ifint_aln="dc0" ifint_lab="vr0" ifint_enc="rl0" ### Networks ### rede_1M="10.10.10.0/24" rede_2Ma="192.168.0.0/24" rede_2Mb="172.16.3.0/24" ################[ Queueing ]################################## ################[ Translation ]############################### ### NAT nat on $ifext_1M from $ifint_enc:network to any -> $ifext_1M port 1024:65535 nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any -> $ifext_2M port 1024:65535 ### RDR no rdr on lo0 from any to any # FW Servers ----------------------------------- # mail /owa rdr on $ifext_2M inet proto tcp to port smtp -> $brightmail port smtp rdr on $ifext_2M inet proto tcp to port https -> $exchange port https # DENY rouge redirections no rdr ################[ Filtering ]################################# ### unconditional passes pass quick on $ifint_aln inet proto { tcp, udp, icmp } from $ifint_aln:network to $ifint_aln:network pass quick on $ifint_lab inet proto { tcp, udp, icmp } from $ifint_lab:network to $ifint_lab:network pass quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc:network to $ifint_enc:network # allow lab to see DNS pass quick on $ifint_aln inet proto { tcp, udp, icmp } from $ifint_lab:network to $ad_dns # route enc network - no restrictions pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from $ifint_enc:network to !$ifint_enc keep state # From gateway ----------------- pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc to any keep state ### Quick blocks block in on $ifext_1M inet from any to !($ifext_1M) block in on $ifext_2M inet from any to !($ifext_2M) # Ftp ( secure ftp-proxy ) anchor "ftp-proxy/*" ### Allowances # From LAB ------------------------------------------------------------------- pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq, timex, unreach } pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate state # From gateway ----------------- pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from $ifint_lab to any keep state # From ALN ------------------------------------------------------------------- pass in quick on $ifint_aln inet proto tcp from any to lo0 port $SshPort flags S/SA keep state (max 20, source-track rule, max-src-nodes 2, max-src-states 10) pass in quick on $ifint_aln inet proto tcp from any to lo0 port $FtpPort flags S/SA keep state (max 250, source-track rule, max-src-conn 100, max-src-nodes 254, max-src-conn-rate 75/20) pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto tcp from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln flags S/SA modulate state pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto tcp from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln keep state pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq, timex, unreach } keep state # To Servers ------------------ pass out quick on $ifint_aln inet proto tcp from any to $brightmail port smtp flags S/SA modulate state (max 100, source-track rule, max-src-nodes 30, max-src-states 5, max-src-conn-rate 10/300, overload <banned> flush global, tcp.established 45) pass out quick on $ifint_aln inet proto tcp from any to $exchange port 443 flags S/SA modulate state pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008 port 21 flags S/SA modulate state # From gateway ----------------- pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from $ifint_aln to any keep state ## fin pf.conf Obrigado pela atenção; -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes FREE) ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd