Huzeyfe Hocam, yardımlarınız için çok teşekkür ederim şuan için söylediğiniz şekilde kurallar çalışıyor. şuan için gördüğüm tek sıkıntı server üzerinden başka bir makinenin mail sunucusuna telnet le bağlandığımda ehlo deyince 1-2 dakikalık bekleme yapıyor ama dışarıdan kendi sunucuma bağlandığımda bir problem yok gayet hızlı içeriden dışarı çıkmaya çalıştığımda bir yavaşlama var acaba nedendir. loglara baktığımda bir engellemede yok.
Saygılar.... ----- Original Message ----- From: Huzeyfe ONAL To: freebsd@lists.enderunix.org Sent: Tuesday, April 15, 2008 7:13 PM Subject: RE: [FreeBSD] Freebsd + PF Selamlar, SMTP icin asagidaki kurali kullanabilirsiniz. Diger protokolleri de buna bakarak cogaltabilirsiniz. pass in quick log (all) on $ext_if0 reply-to($ext_if0 $ext_gw0) proto tcp from any to $ext_if0:0 port 25 keep state Firewalldan cikacak smtp paketleri icin ornegi bir onceki mailimde bulabilirsiniz. ------------------------------------------------------------------------------ From: vys [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 7:06 PM To: freebsd@lists.enderunix.org Subject: Re: [FreeBSD] Freebsd + PF Huzeyfe Hocam Merhabalar, Öncelikle konuyu daha anlamak açısından biraz daha örnekler veremeniz mümkünmü acaba. kullanılan sistem freebsd merak ettiğim konu ise sunucumdan attığım mail veya başka bir şey 1. dsl den,sunucu üzerinden internette sörf yaparken 2.dsl den çıkması için veya dışarıdaki bir ssh sunucusuna bağlandığımda 1. dsl den çıksın gibi örnekleyerek verebilirseniz çok makbule geçer hocam. saygılar.... ----- Original Message ----- From: Huzeyfe ONAL To: freebsd@lists.enderunix.org Sent: Tuesday, April 15, 2008 5:53 PM Subject: RE: [FreeBSD] Freebsd + PF Merhabalar, Bir hat uzerinden gelen paketin ayni hattan geri donmesi icin reply-to kullanmaniz gerekiyor. Bunun haricinde route-to kavramini Firewall'un kendisi icin degil de ic agdan gelen istekler icin bu sekilde kullanabilirsiniz. Firewallun kendisinin urettigi trafigi farkli hatlara gondermek icin asagidaki gibi nat/filtering kurallari yazmayi deneyin. (II. hattan SMTP isteklerinin cikmasi icin) nat on $ext_if proto tcp from self to any port smtp tag IF2 -> ($ext_if2) pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state (OpenSD 4.2 vs kullaniyorsaniz keep state'e gerek yok) Ek olarak kurallariniza baktigimda eksik/yanlis tanimlar var. Genelde tek hat dusunulerek yazilmis kurallar gibi gozukuyor. En basitinden ; pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin from $lan_net to any keep state kurali ile ic ag kullanicilarini iki hat uzerine dagitmis gozukuyorsunuz, isteginiz bu kullanicilarin tek hat uzerinden olmasi ise tek cikis gosterin ve round-robin kullanmayin. ---------------------------------------------------------------------------- From: vys [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 1:03 PM To: freebsd@lists.enderunix.org Subject: [FreeBSD] Freebsd + PF Arkadaslar Merhaba, daha öncede listede konu hakkinda sorularim olmustu ama hala çözemedigim bir kaç durumu sizlerle paylasmak istedim. bir sunucu üzerinde hem proxy hemde mail server kurulu ve çalisir durumda. simdi benim yapmak istedigim ise bu sunucuda 2 adet dsl takill durumda packet filterla mail sunucumun mailleri gönderirken ve mailleri alirken adsl1 üzerinden haberlessin,kullanicilariminda internete çikarken veya baska kaynaklara ulasirkende adsl2 yi kullanmasin istiyorum. buna görede pf.conf umu düzenledim.bu noktada su sorunlarla karsilasiyorum birincisi disaridan mail sunucusuna telnet le baglanmaya çalistigimda baglanmiyor loglarda ise pass olarak görebiliyorum ama ayni sekilde sunucuma sshla baglandigimda adsl2 üzerinden hiçbir problem yok adsl1 üzerinden 25,110 sunucuya yönlendirilmis durumda acaba gözden kacirdigim veya bilmedigim bir seylerlemi var kural tablom asagidaki gibidir. ################################################### # Macros ################################################### lan_net = "{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24 }" int_if = "bge0" ext_if = "vr0" ext_if2 = "vr1" ext_gw1 = "192.168.100.213" (Proxy için) ext_gw2 = "192.168.110.25" (Mail Trafigi için) fwips = "{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}" ################################################## #Tanimlar ################################################## table <msn> persist file "/usr/local/etc/fw/msn" table <ftp> persist file "/usr/local/etc/fw/ftp" ################################################### # Set Optimizations ################################################### set limit { frags 30000, states 25000 } set loginterface $ext_if scrub in all ################################################## #Nat Kurallari ################################################## nat on $ext_if from $lan_net to any -> ($ext_if) nat on $ext_if2 from $lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port 8080 ################################################## #Kurallar ################################################## block in log-all all block out log-all all pass in quick on lo0 all pass out quick on lo0 all ################################################## #Route-to ################################################## pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin from $lan_net to any keep state pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any keep state pass out on $ext_if2 route-to ($ext_if $ext_gw1) from $ext_if to any keep state ################################################## #Port Bazli Routing ################################################## pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25 keep state pass out quick on $ext_if2 proto tcp from $fwips to any port 25 keep state pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from $lan_net to any port 25 keep state ################################################## # Firewalla izin veriliyor ç?k??lar ################################################## pass out quick on $ext_if proto {tcp,udp} from $fwips to any keep state pass out quick on $ext_if2 proto {tcp,udp} from $fwips to any keep state ################################################## #Lan_net ten Firewalla izin verilen Portlar ################################################## pass in quick on $int_if proto tcp from $lan_net to any port { 22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state pass in quick on $int_if proto tcp from <msn> to any port = 1863 flags S/SA keep state pass in quick on $int_if proto tcp from <ftp> to any port = 21 flags S/SA keep state pass in quick on $int_if proto { udp, icmp } from $lan_net to any keep state ################################################## #Ext_if2 Uzerinden Gelisler ################################################## pass in quick log on $ext_if2 proto tcp from any to any port {25,80,110,53} flags S/SA keep state ################################################## #Ext_if Uzerinden Gelisler ################################################## pass in quick log on $ext_if proto tcp from any to any port = 22 flags S/SA keep state