Re: [FUG-BR] Firewall com pf no freeBSD 7

[Willian Alves]

cara seguinte o ipfw e o filtro de pacote padrão do FreeBSD na linha de 
comando da um ipfw show e verifica as regras de firewall por padrao vem 
bloqueado tudo talvez seja por isso que nao esta funcionado seu roteamento
fica ai meu  cents.


- Original Message - 
From: "Márcio Luciano Donada" <[EMAIL PROTECTED]>
To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"" 

Sent: Monday, November 03, 2008 6:07 PM
Subject: Re: [FUG-BR] Firewall com pf no freeBSD 7


Ricardo Augusto de Souza escreveu:
> FW2# cat rc.conf
>
> # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
> # Created: Fri Oct 31 08:57:07 2008
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to /etc/defaults/rc.conf.
> # This file now contains just the overrides from /etc/defaults/rc.conf.
> ken_securelevel="1"
> kern_securelevel_enable="YES"
> pf_enable="YES"
> defaultrouter="189.xxx.xxx.xxx"
> gateway_enable="YES"
> hostname="FW2.CMT"
> ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
> ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
> inetd_enable="YES"
> keymap="br275.cp850"
> linux_enable="YES"
> sshd_enable="YES"
> FW2#
>
>


> FW2# cat rc.local
> #alias
> ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
> #rotas
> route add 10.100.0.0/24 10.100.1.1
> FW2#
>
>

Você pode colocar os alias de interface tudo no rc.conf, veja no [1].
Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC:

FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC



[1].
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html

Abraço,

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd 

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Re: [FUG-BR] Firewall com pf no freeBSD 7

[Márcio Luciano Donada]

Ricardo Augusto de Souza escreveu:
> FW2# cat rc.conf
>
> # -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
> # Created: Fri Oct 31 08:57:07 2008
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to /etc/defaults/rc.conf.
> # This file now contains just the overrides from /etc/defaults/rc.conf.
> ken_securelevel="1"
> kern_securelevel_enable="YES"
> pf_enable="YES"
> defaultrouter="189.xxx.xxx.xxx"
> gateway_enable="YES"
> hostname="FW2.CMT"
> ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
> ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
> inetd_enable="YES"
> keymap="br275.cp850"
> linux_enable="YES"
> sshd_enable="YES"
> FW2#
>
>   


> FW2# cat rc.local
> #alias
> ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
> #rotas
> route add 10.100.0.0/24 10.100.1.1
> FW2#
>
>   

Você pode colocar os alias de interface tudo no rc.conf, veja no [1].
Você falou que recompilou seu kernel mas seu dmesg traz o kernel GENERIC:

FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC



[1].
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html

Abraço,

-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

[FUG-BR] Firewall com pf no freeBSD 7

[Ricardo Augusto de Souza]

Ola, 
sou usuario de openBSD há muitos anos.
Sempre utilizei para firewall.
Recebi uma maquina de uma outra área da minha empresa para eu usar como 
firewall só que o openbsd nao é compativel com ela. ( maldita controladora 
Adaptec).

Para resolver este problema, resolvi instalar o FreeBSD nesta maquina q é uma 
IBM x3550.

Habilitei o pf no rc.conf e recompilei o kernel para usar o altq futuramente.

Já consegui compartilhar a internet para minha rede local, o problema é que nao 
consegui rotear / liberar o acesso a rede 10.100.0.0 ( minha rede mpls) para a 
rede local.
Só que nao consigo pingar nem acessar esta maquina 10.100.0.5 dos clientes que 
estao usando o freebsd como gateway.


Só para constar: estou achando o freebsd bem mas rapido do que o openbsd.


Segue abaixo os arquivos de conf utilizados.

FW2# cat rc.conf

# -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
# Created: Fri Oct 31 08:57:07 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
ken_securelevel="1"
kern_securelevel_enable="YES"
pf_enable="YES"
defaultrouter="189.xxx.xxx.xxx"
gateway_enable="YES"
hostname="FW2.CMT"
ifconfig_bce0="inet 189.xxx.xxx.3  netmask 255.255.255.248"
ifconfig_bce1="inet 10.10.100.252  netmask 255.255.0.0"
inetd_enable="YES"
keymap="br275.cp850"
linux_enable="YES"
sshd_enable="YES"
FW2#

FW2# cat rc.local
#alias
ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
#rotas
route add 10.100.0.0/24 10.100.1.1
FW2#

FW2# cat pf.conf
# variaveis
ext_if = "bce0"
int_if = "bce1"
cmt_lan = "10.10.0.0/24"
cmt_lan_ti = "10.10.20.0/24"
cmt_lan_callcenter = "10.10.60.0/24"
rede_mpls = " 10.100.0.0/24 "
tcp_out_ports = "{ 53, 80, 443 }"

# run time options
scrub in all

# nat
nat on $ext_if from $cmt_lan to any port $tcp_out_ports tag CMT_LAN -> ($ext_if)
nat on $ext_if from $cmt_lan_ti to any tag CMT_LAN_TI -> ($ext_if)
nat on $ext_if from $cmt_lan_callcenter port $tcp_out_ports to any tag 
CMT_LAN_CALLCENTER -> ($ext_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $cmt_lan_ti to any port 21 -> \
127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from any to any port 21
pass in on $int_if from any to any modulate state
pass out on $int_if from any to any modulate state
pass out on $ext_if from $ext_if to any modulate state
FW2#


FW2# ping 10.100.0.5
PING 10.100.0.5 (10.100.0.5): 56 data bytes
64 bytes from 10.100.0.5: icmp_seq=0 ttl=126 time=5.250 ms
64 bytes from 10.100.0.5: icmp_seq=1 ttl=126 time=8.325 ms
64 bytes from 10.100.0.5: icmp_seq=2 ttl=126 time=6.169 ms
64 bytes from 10.100.0.5: icmp_seq=3 ttl=126 time=8.943 ms
^C
--- 10.100.0.5 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.250/7.172/8.943/1.514 ms
#

FW2# nc -v 10.100.0.5 80
Connection to 10.100.0.5 80 port [tcp/http] succeeded!
^C
FW2#


FW2# cat sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.ip.random_id=1
net.inet.ip.fastforwarding=1
net.inet.ip.process_options=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2  # blackhole pings, traceroutes, etc.
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=30
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.fallback_elf_brand=3
kern.polling.enable=1 # network interface pooling instead interrupt request
kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM
   # and prevent it from being paged out to swap
kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1
FW2#


FW2# cat /root/dmesg.txt
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU