[FUG-BR] 1 link de internet para cada rede interna.
Bom dia a todos;
Terei em breve a seguinte situação:
1 link de 1M para a rede interna 10.10.10.x
1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x
Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
Uma placa de rede para cada rede interna e uma para cada link de internet (5
total).
Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o 2o
link ainda não está instalado. Gostaria
do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
etc... O default router do FreeBSD é o link de 2M.
FBSD 8.2-STABLE
### pf.conf
[ Macros ]
### Interfaces ###
ifext_1M=sis0
gwip_1M=xx.xx.xx.xx
ifext_2M=rl1
gwip_2M=yy.yy.yy.yy
### Network ifs ###
ifint_aln=dc0
ifint_lab=vr0
ifint_enc=rl0
### Networks ###
rede_1M=10.10.10.0/24
rede_2Ma=192.168.0.0/24
rede_2Mb=172.16.3.0/24
[ Queueing ]##
[ Translation ]###
### NAT
nat on $ifext_1M from $ifint_enc:network to any - $ifext_1M port
1024:65535
nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any -
$ifext_2M port 1024:65535
### RDR
no rdr on lo0 from any to any
# FW Servers ---
# mail /owa
rdr on $ifext_2M inet proto tcp to port smtp - $brightmail port smtp
rdr on $ifext_2M inet proto tcp to port https - $exchange port https
# DENY rouge redirections
no rdr
[ Filtering ]#
### unconditional passes
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln:network to $ifint_aln:network
pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ifint_lab:network
pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
$ifint_enc:network to $ifint_enc:network
# allow lab to see DNS
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ad_dns
# route enc network - no restrictions
pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
$ifint_enc:network to !$ifint_enc keep state
# From gateway -
pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc
to any keep state
### Quick blocks
block in on $ifext_1M inet from any to !($ifext_1M)
block in on $ifext_2M inet from any to !($ifext_2M)
# Ftp ( secure ftp-proxy )
anchor ftp-proxy/*
### Allowances
# From LAB
---
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
timex, unreach }
pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
state
# From gateway -
pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab to any keep state
# From ALN
---
pass in quick on $ifint_aln inet proto tcp from any to lo0 port $SshPort
flags S/SA keep state (max 20, source-track rule, max-src-nodes 2,
max-src-states 10)
pass in quick on $ifint_aln inet proto tcp from any to lo0 port $FtpPort
flags S/SA keep state (max 250, source-track rule, max-src-conn 100,
max-src-nodes 254, max-src-conn-rate 75/20)
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln flags
S/SA modulate state
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln keep
state
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq,
timex, unreach } keep state
# To Servers --
pass out quick on $ifint_aln inet proto tcp from any to $brightmail port
smtp flags S/SA modulate state (max 100, source-track rule, max-src-nodes
30, max-src-states 5, max-src-conn-rate 10/300, overload banned flush
global, tcp.established 45)
pass out quick on $ifint_aln inet proto tcp from any to $exchange port
443 flags S/SA modulate state
pass out quick on $ifint_aln inet proto tcp from any to $srvmic2008 port
21 flags S/SA modulate state
# From gateway -
pass out quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln to any keep state
## fin pf.conf
Obrigado pela atenção;
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio
Re: [FUG-BR] 1 link de internet para cada rede interna.
Mario,
Aparentemente olhando bem rápido não vejo nada de errado, mas eu utilizo
outra prática.
Para block
block log all
Para as regras de direcionar tráfego para um ou outro link
pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from any
to any port 5050 keep state
pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
any to any port 5050 keep state
Abraço!
Em 2 de junho de 2011 10:17, Mario Lobo l...@bsd.com.br escreveu:
Bom dia a todos;
Terei em breve a seguinte situação:
1 link de 1M para a rede interna 10.10.10.x
1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x
Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
Uma placa de rede para cada rede interna e uma para cada link de internet
(5
total).
Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o 2o
link ainda não está instalado. Gostaria
do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
etc... O default router do FreeBSD é o link de 2M.
FBSD 8.2-STABLE
### pf.conf
[ Macros ]
### Interfaces ###
ifext_1M=sis0
gwip_1M=xx.xx.xx.xx
ifext_2M=rl1
gwip_2M=yy.yy.yy.yy
### Network ifs ###
ifint_aln=dc0
ifint_lab=vr0
ifint_enc=rl0
### Networks ###
rede_1M=10.10.10.0/24
rede_2Ma=192.168.0.0/24
rede_2Mb=172.16.3.0/24
[ Queueing ]##
[ Translation ]###
### NAT
nat on $ifext_1M from $ifint_enc:network to any - $ifext_1M port
1024:65535
nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any -
$ifext_2M port 1024:65535
### RDR
no rdr on lo0 from any to any
# FW Servers ---
# mail /owa
rdr on $ifext_2M inet proto tcp to port smtp - $brightmail port smtp
rdr on $ifext_2M inet proto tcp to port https - $exchange port https
# DENY rouge redirections
no rdr
[ Filtering ]#
### unconditional passes
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln:network to $ifint_aln:network
pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ifint_lab:network
pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
$ifint_enc:network to $ifint_enc:network
# allow lab to see DNS
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ad_dns
# route enc network - no restrictions
pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
$ifint_enc:network to !$ifint_enc keep state
# From gateway -
pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from $ifint_enc
to any keep state
### Quick blocks
block in on $ifext_1M inet from any to !($ifext_1M)
block in on $ifext_2M inet from any to !($ifext_2M)
# Ftp ( secure ftp-proxy )
anchor ftp-proxy/*
### Allowances
# From LAB
---
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
timex, unreach }
pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
state
# From gateway -
pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab to any keep state
# From ALN
---
pass in quick on $ifint_aln inet proto tcp from any to lo0 port $SshPort
flags S/SA keep state (max 20, source-track rule, max-src-nodes 2,
max-src-states 10)
pass in quick on $ifint_aln inet proto tcp from any to lo0 port $FtpPort
flags S/SA keep state (max 250, source-track rule, max-src-conn 100,
max-src-nodes 254, max-src-conn-rate 75/20)
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_aln:network to !$ifint_aln port $Allow_tcp_ports_aln flags
S/SA modulate state
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_aln:network to !$ifint_aln port $Allow_udp_ports_aln keep
state
pass in quick on $ifint_aln route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_aln:network to !$ifint_aln icmp-type { echorep, echoreq,
timex, unreach } keep state
# To Servers --
pass out quick on $ifint_aln inet proto tcp from any to $brightmail port
smtp flags S/SA modulate state (max 100, source-track rule, max-src-nodes
30, max-src-states 5, max-src-conn-rate 10/300,
Re: [FUG-BR] 1 link de internet para cada rede interna.
Primeiramente, obrigado pela resposta Bruno.
O block log all ta no final de tudo. Esqueci de colocar.
Quando voce diz:
pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from any
to any port 5050 keep state
pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
any to any port 5050 keep state
Esse reply-to é realmente necessário? não entendi a função dele já que ele
referencia a mesma
interface do pass out. Nesse caso, para cada regra de permissão route-to
para uma porta fora na interface interna,
eu teria que colocar uma regra reply-to para esta mesma porta na interface
externa? Pergunto porque as redes internas tem umas 20 portas diferentes que
são permitidas conectar fora e isso vai aumentar muito o numero de regras.
Obrigado,
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio YET!!] (99,7% winfoes FREE)
Em 2 de junho de 2011 10:31, Bruno Torres Viana btvi...@gmail.comescreveu:
Mario,
Aparentemente olhando bem rápido não vejo nada de errado, mas eu utilizo
outra prática.
Para block
block log all
Para as regras de direcionar tráfego para um ou outro link
pass in quick log on $int_if route-to ($ext_if2 $ext_gw2) proto tcp from
any
to any port 5050 keep state
pass out quick log on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from
any to any port 5050 keep state
Abraço!
Em 2 de junho de 2011 10:17, Mario Lobo l...@bsd.com.br escreveu:
Bom dia a todos;
Terei em breve a seguinte situação:
1 link de 1M para a rede interna 10.10.10.x
1 link de 2M para as redes internas 198.162.0.x e 172 .16.3.x
Minha dúvida é como implementar isso. Atualmente uso o pf como firewall
Uma placa de rede para cada rede interna e uma para cada link de internet
(5
total).
Adaptei o meu pf.conf atual para os 2 links. Ainda não testei porque o
2o
link ainda não está instalado. Gostaria
do comentário de voces, se est correto meu raciocínio, se tá tudo errado,
etc... O default router do FreeBSD é o link de 2M.
FBSD 8.2-STABLE
### pf.conf
[ Macros ]
### Interfaces ###
ifext_1M=sis0
gwip_1M=xx.xx.xx.xx
ifext_2M=rl1
gwip_2M=yy.yy.yy.yy
### Network ifs ###
ifint_aln=dc0
ifint_lab=vr0
ifint_enc=rl0
### Networks ###
rede_1M=10.10.10.0/24
rede_2Ma=192.168.0.0/24
rede_2Mb=172.16.3.0/24
[ Queueing ]##
[ Translation ]###
### NAT
nat on $ifext_1M from $ifint_enc:network to any - $ifext_1M port
1024:65535
nat on $ifext_2M from { $ifint_aln:network,$ifint_lab:network } to any
-
$ifext_2M port 1024:65535
### RDR
no rdr on lo0 from any to any
# FW Servers ---
# mail /owa
rdr on $ifext_2M inet proto tcp to port smtp - $brightmail port smtp
rdr on $ifext_2M inet proto tcp to port https - $exchange port https
# DENY rouge redirections
no rdr
[ Filtering ]#
### unconditional passes
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_aln:network to $ifint_aln:network
pass quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ifint_lab:network
pass quick on $ifint_enc inet proto { tcp, udp, icmp } from
$ifint_enc:network to $ifint_enc:network
# allow lab to see DNS
pass quick on $ifint_aln inet proto { tcp, udp, icmp } from
$ifint_lab:network to $ad_dns
# route enc network - no restrictions
pass in quick on $ifint_enc route-to ( $ifext_1M $gwip_1M ) inet from
$ifint_enc:network to !$ifint_enc keep state
# From gateway -
pass out quick on $ifint_enc inet proto { tcp, udp, icmp } from
$ifint_enc
to any keep state
### Quick blocks
block in on $ifext_1M inet from any to !($ifext_1M)
block in on $ifext_2M inet from any to !($ifext_2M)
# Ftp ( secure ftp-proxy )
anchor ftp-proxy/*
### Allowances
# From LAB
---
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
tcp from $ifint_lab:network to !$ifint_lab port $Allow_tcp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
udp from $ifint_lab:network to !$ifint_lab port $Allow_udp_ports_lab
pass in quick on $ifint_lab route-to ( $ifext_2M $gwip_2M ) inet proto
icmp from $ifint_lab:network to !$ifint_lab icmp-type { echorep, echoreq,
timex, unreach }
pass out quick on $ifint_lab inet proto tcp tagged ftp_proxy modulate
state
# From gateway -
pass out quick on $ifint_lab inet proto { tcp, udp, icmp } from
$ifint_lab to any keep state
# From ALN
---
