Re: [FUG-BR] pf e ipfw juntos.
Cabral Bandeira escreveu:
Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de
banda ACK, acontece que não navega com os 2 ativados, somente o ping
funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver?
Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ.
No ipfw uso o http://intrarts.com/throttled.html
Aprendi pf em uma hora :) Acho que aprendi creio eu.
Mas gostaria de saber se preciso melhorar algo. Se abaixo.
set block-policy drop
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes
if = en1
scrub in all
# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet
#icmp_types=echoreq
block in
pass out
# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all
antispoof quick for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
# allow dns queries
pass out on $if proto udp from any to any port 53
# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA
# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
pass in quick inet proto { tcp, udp } from any to any port = 16000
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772
pass out quick inet proto { tcp, udp } from any to any port = 38772
pass in quick inet proto udp from any to any port = 123
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from any to any port = 5353
pass out quick inet proto udp from any to any port = 5353
# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed
# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP }
pass on lo0 all
-
Cabral Bandeira
Cabra,
Tive problema parecido com o pfSense.
Descobri (no chute mesmo), que você precisa DERRUBAR o pf (pfctl -d),
ativar o ipfw e carregar as regras, e por fim carregar o pf (pfctl -e)
Veja:
#!/bin/sh
# copie no /usr/local/etc/rc.d/ e permita execução (chmod +x focus.sh)
# OBSERVE QUE NÃO É /etc/rc.d/
# lembre de alterar SIS0 para sua placa de rede local (LAN - veja no
ifconfig)
echo Desativando PF...
pfctl -d
echo Carregando firewall
kldload ipfw
kldload dummynet
echo Limpando regras...
ipfw -f flush
ipfw -f pipe flush
ipfw -f queue flush
ipfw -f table 1 flush
echo Cadastrando IPs na TABLE 1 - limite 300kbps
ipfw -q table 1 add 192.168.0.249# servidor
hr (replicacao)
# se usuario for da TABLE 1, saltar para regra 600 (limite 300kbps)
ipfw add skipto 600 all from any to table(1)
echo Aplicanco controle de banda para os demais (500kbps) na interface
sis0...
ipfw 500 add pipe 11 ip from not me to 192.168.0.0/24 not src-port
5432,445,139,2,3389 out via sis0
ipfw pipe 11 config bw 500Kbit/s mask dst-ip 0x
echo Aplicando controle de banda exclusivo para TABLE 1 (300kbps) na
interface sis0...
ipfw 600 add pipe 12 ip from not me to 192.168.0.0/24 not src-port
5432,445,139,2,3389 out via sis0
ipfw pipe 12 config bw 300Kbit/s mask dst-ip 0x
echo Reativando PF...
pfctl -e
--
Welkson Renny de Medeiros
Desenvolvimento / Gerência de Redes
Focus Automação Comercial
FreeBSD Community Member
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
[FUG-BR] pf e ipfw juntos.
Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda
ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu
faço pfctl -F all o internet funciona normal. Como resolver?
Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ.
No ipfw uso o http://intrarts.com/throttled.html
Aprendi pf em uma hora :) Acho que aprendi creio eu.
Mas gostaria de saber se preciso melhorar algo. Se abaixo.
set block-policy drop
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes
if = en1
scrub in all
# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet
#icmp_types=echoreq
block in
pass out
# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all
antispoof quick for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
# allow dns queries
pass out on $if proto udp from any to any port 53
# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA
# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
pass in quick inet proto { tcp, udp } from any to any port = 16000
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772
pass out quick inet proto { tcp, udp } from any to any port = 38772
pass in quick inet proto udp from any to any port = 123
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from any to any port = 5353
pass out quick inet proto udp from any to any port = 5353
# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed
# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP }
pass on lo0 all
-
Cabral Bandeira
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
quais as regras do ipfw?
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes
if = en1
scrub in all
# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet
#icmp_types=echoreq
block in
pass out
# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all
antispoof quick for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
# allow dns queries
pass out on $if proto udp from any to any port 53
# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA
# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
pass in quick inet proto { tcp, udp } from any to any port = 16000
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772
pass out quick inet proto { tcp, udp } from any to any port = 38772
pass in quick inet proto udp from any to any port = 123
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from any to any port = 5353
pass out quick inet proto udp from any to any port = 5353
# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed
# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP }
pass on lo0 all
-
Cabral Bandeira
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
São equivalentes: set skip on lo0 # loopback is good pass in quick on lo0 all pass out quick on lo0 all - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
Li na lista o Patrick comentando sobre o pf.
http://www.fug.com.br/historico/html/freebsd/2006-04/msg00588.html Nao pude
filtrar lsrr, rr,
etc de IP.
Seria bom usar essas 3 regras no ipfw?
ipfw add deny log tcp from any to any ipoptions ssrr,lsrr,rr
ipfw add deny log tcp from any to any tcpflags syn,fin
ipfw add deny log tcp from any to any tcpflags syn,rst
Regras que uso abaixo.
/sbin/ipfw zero
/sbin/ipfw -f flush
INTERFACE=en1
MAXSPEED=51200
RULENUM=00100
/usr/local/sbin/throttled -s $MAXSPEED -r $RULENUM -d 17779 -w 100 -d 17778 -w
25 -d 1 -w 1 -T || exit
IP=any
# skip your internal network, these rules are for 192.168.x.x
/sbin/ipfw add $RULENUM skipto `expr $RULENUM + 1` ip from $IP to
192.168.0.0/16 out xmit $INTERFACE
#prioritize empty acks and setup
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any out xmit $INTERFACE
tcpflags ack iplen 0-70
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any setup out xmit
$INTERFACE
#prioritize icmp
/sbin/ipfw add $RULENUM divert 17779 icmp from any to any out xmit $INTERFACE
# these rules allow http/https/ssh/telnet/pop/irc/sirc
# to be prioritized by the throttle.
#
# Setting up the configuration this way catches more file transfer types
# and minimizes lag in response driven services.
#prioritize nameserver lookups
/sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 53 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17779 udp from $IP to any 53 out xmit $INTERFACE
#prioritize iTunes
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP 3689 to any out xmit
$INTERFACE
# prioritize Skype
/sbin/ipfw add $RULENUM divert 17778 udp from $IP 16000 to any out xmit
$INTERFACE
#prioritize imap
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 587 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 993 out xmit $INTERFACE
#prioritize Apple
/sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 192 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 5353 out xmit
$INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 548 out xmit $INTERFACE
#prioritize http/https
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 80 out xmit $INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 443 out xmit $INTERFACE
#prioritize msn
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 1863 out xmit
$INTERFACE
#prioritize irc
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6667 out xmit
$INTERFACE
/sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6668 out xmit
$INTERFACE
#prioritize torrent
/sbin/ipfw add $RULENUM divert 1 tcp from $IP to any 51413 out xmit
$INTERFACE
/sbin/ipfw add $RULENUM divert 1 udp from $IP to any 51413 out xmit
$INTERFACE
#bind to throttle low priority services.
/sbin/ipfw add $RULENUM divert 1 ip from $IP to any out xmit $INTERFACE
-
Cabral Bandeira
Em 17/07/2011, às 18:41, Rodrigo Mosconi escreveu:
quais as regras do ipfw?
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes
if = en1
scrub in all
# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet
#icmp_types=echoreq
block in
pass out
# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all
antispoof quick for $if inet
# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types
block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0
# allow dns queries
pass out on $if proto udp from any to any port 53
# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA
# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA
pass in quick inet proto { tcp, udp } from any to any port = 16000
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772
pass out quick inet proto { tcp, udp } from any to any port = 38772
pass in quick inet proto udp from any to any port = 123
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from
