Primeiramente, obrigado pela resposta Bruno. O block log all ta no final de tudo. Esqueci de colocar.
Quando voce diz: pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from any to any port 5050 keep state pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to any port 5050 keep state Esse reply-to é realmente necessário? não entendi a função dele já que ele referencia a mesma interface do pass out. Nesse caso, para cada regra de permissão route-to para uma porta fora na interface interna, eu teria que colocar uma regra reply-to para esta mesma porta na interface externa? Pergunto porque as redes internas tem umas 20 portas diferentes que são permitidas conectar fora e isso vai aumentar muito o numero de regras. Obrigado, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes FREE) Em 2 de junho de 2011 10:31, Bruno Torres Viana <btvi...@gmail.com>escreveu: > Mario, > > Aparentemente olhando bem rápido não vejo nada de errado, mas eu utilizo > outra prática. > > Para block > > block log all > > > Para as regras de direcionar tráfego para um ou outro link > > pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from > any > to any port 5050 keep state > pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from > any to any port 5050 keep state > > Abraço! > > > Em 2 de junho de 2011 10:17, Mario Lobo <l...@bsd.com.br> escreveu: > > > Bom dia a todos; > > > > Terei em breve a seguinte situação: > > > > 1 link de 1M para a rede interna 10.10.10.x > > 1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x > > > > Minha dúvida é como implementar isso. Atualmente uso o pf como firewall > > Uma placa de rede para cada rede interna e uma para cada link de internet > > (5 > > total). > > > > Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o > 2o > > link ainda não está instalado. Gostaria > > do comentário de voces, se est correto meu raciocínio, se tá tudo errado, > > etc... O default router do FreeBSD é o link de 2M. > > > > FBSD 8.2-STABLE > > > > > > ### pf.conf > > > > ################[ Macros ]#################################### > > > > ### Interfaces ### > > > > ifext_1M="sis0" > > gwip_1M="xx.xx.xx.xx" > > > > ifext_2M="rl1" > > gwip_2M="yy.yy.yy.yy" > > > > ### Network ifs ### > > > > ifint_aln="dc0" > > ifint_lab="vr0" > > ifint_enc="rl0" > > > > ### Networks ### > > > > rede_1M="10.10.10.0/24" > > rede_2Ma="192.168.0.0/24" > > rede_2Mb="172.16.3.0/24" > > > > ################[ Queueing ]################################## > > > > ################[ Translation ]############################### > > > > ### NAT > > > > nat on $ifext_1M from $ifint_enc:network to any -> $ifext_1M port > > 1024:65535 > > nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any > -> > > $ifext_2M port 1024:65535 > > > > ### RDR > > > > no rdr on lo0 from any to any > > > > # FW Servers ----------------------------------- > > > > # mail /owa > > rdr on $ifext_2M inet proto tcp to port smtp -> $brightmail port smtp > > rdr on $ifext_2M inet proto tcp to port https -> $exchange port https > > > > # DENY rouge redirections > > no rdr > > > > ################[ Filtering ]################################# > > > > ### unconditional passes > > > > pass quick on $ifint_aln inet proto { tcp, udp, icmp } from > > $ifint_aln:network to $ifint_aln:network > > pass quick on $ifint_lab inet proto { tcp, udp, icmp } from > > $ifint_lab:network to $ifint_lab:network > > pass quick on $ifint_enc inet proto { tcp, udp, icmp } from > > $ifint_enc:network to $ifint_enc:network > > > > # allow lab to see DNS > > pass quick on $ifint_aln inet proto { tcp, udp, icmp } from > > $ifint_lab:network to $ad_dns > > > > # route enc network - no restrictions > > pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from > > $ifint_enc:network to !$ifint_enc keep state > > # From gateway ----------------- > > pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from > $ifint_enc > > to any keep state > > > > ### Quick blocks > > > > block in on $ifext_1M inet from any to !($ifext_1M) > > block in on $ifext_2M inet from any to !($ifext_2M) > > > > # Ftp ( secure ftp-proxy ) > > anchor "ftp-proxy/*" > > > > ### Allowances > > > > # From LAB > > ------------------------------------------------------------------- > > > > pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto > > tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab > > pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto > > udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab > > pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto > > icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq, > > timex, unreach } > > > > pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate > > state > > > > # From gateway ----------------- > > pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from > > $ifint_lab to any keep state > > > > > > # From ALN > > ------------------------------------------------------------------- > > > > pass in quick on $ifint_aln inet proto tcp from any to lo0 port > $SshPort > > flags S/SA keep state (max 20, source-track rule, max-src-nodes 2, > > max-src-states 10) > > pass in quick on $ifint_aln inet proto tcp from any to lo0 port > $FtpPort > > flags S/SA keep state (max 250, source-track rule, max-src-conn 100, > > max-src-nodes 254, max-src-conn-rate 75/20) > > > > pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto > > tcp from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln > flags > > S/SA modulate state > > pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto > > tcp from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln > keep > > state > > pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto > > icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq, > > timex, unreach } keep state > > > > # To Servers ------------------ > > pass out quick on $ifint_aln inet proto tcp from any to $brightmail > port > > smtp flags S/SA modulate state (max 100, source-track rule, > max-src-nodes > > 30, max-src-states 5, max-src-conn-rate 10/300, overload <banned> flush > > global, tcp.established 45) > > pass out quick on $ifint_aln inet proto tcp from any to $exchange port > > 443 flags S/SA modulate state > > pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008 > port > > 21 flags S/SA modulate state > > > > # From gateway ----------------- > > pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from > > $ifint_aln to any keep state > > > > ## fin pf.conf > > > > > > Obrigado pela atenção; > > > > -- > > Mario Lobo > > http://www.mallavoodoo.com.br > > FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!] (99,7% winfoes > FREE) > > ------------------------- > > Histórico: http://www.fug.com.br/historico/html/freebsd/ > > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > > > > > -- > ___________________________ > Bruno Torres Viana > Consultor em TI > Celular: (27) 8823-0751 > SKYPE/MSN: btorres_viana > > > > Todos nós somos ignorantes, porém em assuntos diferentes. Não seja > ignorante > por opção! > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd