Re: [FUG-BR] pf e ipfw juntos.
Cabral Bandeira escreveu: Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver? Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ. No ipfw uso o http://intrarts.com/throttled.html Aprendi pf em uma hora :) Acho que aprendi creio eu. Mas gostaria de saber se preciso melhorar algo. Se abaixo. set block-policy drop set optimization normal set ruleset-optimization basic set timeout interval 10 set timeout frag 30 set skip on lo0 set debug none set limit frags 4096 set state-policy floating set require-order yes if = en1 scrub in all # Quebra pacotes mal formados scrub all reassemble tcp scrub out all no-df max-mss 1492 random-id antispoof for $if inet #icmp_types=echoreq block in pass out # loopback is good pass in quick on lo0 all pass out quick on lo0 all antispoof quick for $if inet # allow icmp #pass in inet proto icmp all icmp-type $icmp_types block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0 # allow dns queries pass out on $if proto udp from any to any port 53 # pass http traffic pass out on $if proto tcp from $if to any port 80 flags S/SA # pass ftp traffic pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA pass in quick inet proto { tcp, udp } from any to any port = 16000 pass out quick inet proto { tcp, udp } from any to any port = 16000 pass in quick inet proto { tcp, udp } from any to any port = 16003 pass out quick inet proto { tcp, udp } from any to any port = 16003 pass in quick inet proto { tcp, udp } from any to any port = 51413 pass out quick inet proto { tcp, udp } from any to any port = 51413 pass in quick inet proto { tcp, udp } from any to any port = 38772 pass out quick inet proto { tcp, udp } from any to any port = 38772 pass in quick inet proto udp from any to any port = 123 pass out quick inet proto udp from any to any port = 123 pass in quick inet proto udp from any to any port = 192 pass out quick inet proto udp from any to any port = 192 pass in quick inet proto tcp from any to any port = 443 pass out quick inet proto tcp from any to any port = 443 pass in quick inet proto tcp from any to any port = 548 pass out quick inet proto tcp from any to any port = 548 pass in quick inet proto udp from any to any port = 5353 pass out quick inet proto udp from any to any port = 5353 # Ativa a proteção contra falsificações para todas as interfaces block in quick from urpf-failed # block scans com nmap block in quick proto tcp flags FUP/WEUAPRSF block in quick proto tcp flags WEUAPRSF/WEUAPRSF block in quick proto tcp flags SRAFU/WEUAPRSF block in quick proto tcp flags /WEUAPRSF block in quick proto tcp flags SR/SR block in quick proto tcp flags SF/SF block drop in quick on $if from any os { NMAP } pass on lo0 all - Cabral Bandeira Cabra, Tive problema parecido com o pfSense. Descobri (no chute mesmo), que você precisa DERRUBAR o pf (pfctl -d), ativar o ipfw e carregar as regras, e por fim carregar o pf (pfctl -e) Veja: #!/bin/sh # copie no /usr/local/etc/rc.d/ e permita execução (chmod +x focus.sh) # OBSERVE QUE NÃO É /etc/rc.d/ # lembre de alterar SIS0 para sua placa de rede local (LAN - veja no ifconfig) echo Desativando PF... pfctl -d echo Carregando firewall kldload ipfw kldload dummynet echo Limpando regras... ipfw -f flush ipfw -f pipe flush ipfw -f queue flush ipfw -f table 1 flush echo Cadastrando IPs na TABLE 1 - limite 300kbps ipfw -q table 1 add 192.168.0.249# servidor hr (replicacao) # se usuario for da TABLE 1, saltar para regra 600 (limite 300kbps) ipfw add skipto 600 all from any to table(1) echo Aplicanco controle de banda para os demais (500kbps) na interface sis0... ipfw 500 add pipe 11 ip from not me to 192.168.0.0/24 not src-port 5432,445,139,2,3389 out via sis0 ipfw pipe 11 config bw 500Kbit/s mask dst-ip 0x echo Aplicando controle de banda exclusivo para TABLE 1 (300kbps) na interface sis0... ipfw 600 add pipe 12 ip from not me to 192.168.0.0/24 not src-port 5432,445,139,2,3389 out via sis0 ipfw pipe 12 config bw 300Kbit/s mask dst-ip 0x echo Reativando PF... pfctl -e -- Welkson Renny de Medeiros Desenvolvimento / Gerência de Redes Focus Automação Comercial FreeBSD Community Member - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
[FUG-BR] pf e ipfw juntos.
Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver? Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ. No ipfw uso o http://intrarts.com/throttled.html Aprendi pf em uma hora :) Acho que aprendi creio eu. Mas gostaria de saber se preciso melhorar algo. Se abaixo. set block-policy drop set optimization normal set ruleset-optimization basic set timeout interval 10 set timeout frag 30 set skip on lo0 set debug none set limit frags 4096 set state-policy floating set require-order yes if = en1 scrub in all # Quebra pacotes mal formados scrub all reassemble tcp scrub out all no-df max-mss 1492 random-id antispoof for $if inet #icmp_types=echoreq block in pass out # loopback is good pass in quick on lo0 all pass out quick on lo0 all antispoof quick for $if inet # allow icmp #pass in inet proto icmp all icmp-type $icmp_types block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0 # allow dns queries pass out on $if proto udp from any to any port 53 # pass http traffic pass out on $if proto tcp from $if to any port 80 flags S/SA # pass ftp traffic pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA pass in quick inet proto { tcp, udp } from any to any port = 16000 pass out quick inet proto { tcp, udp } from any to any port = 16000 pass in quick inet proto { tcp, udp } from any to any port = 16003 pass out quick inet proto { tcp, udp } from any to any port = 16003 pass in quick inet proto { tcp, udp } from any to any port = 51413 pass out quick inet proto { tcp, udp } from any to any port = 51413 pass in quick inet proto { tcp, udp } from any to any port = 38772 pass out quick inet proto { tcp, udp } from any to any port = 38772 pass in quick inet proto udp from any to any port = 123 pass out quick inet proto udp from any to any port = 123 pass in quick inet proto udp from any to any port = 192 pass out quick inet proto udp from any to any port = 192 pass in quick inet proto tcp from any to any port = 443 pass out quick inet proto tcp from any to any port = 443 pass in quick inet proto tcp from any to any port = 548 pass out quick inet proto tcp from any to any port = 548 pass in quick inet proto udp from any to any port = 5353 pass out quick inet proto udp from any to any port = 5353 # Ativa a proteção contra falsificações para todas as interfaces block in quick from urpf-failed # block scans com nmap block in quick proto tcp flags FUP/WEUAPRSF block in quick proto tcp flags WEUAPRSF/WEUAPRSF block in quick proto tcp flags SRAFU/WEUAPRSF block in quick proto tcp flags /WEUAPRSF block in quick proto tcp flags SR/SR block in quick proto tcp flags SF/SF block drop in quick on $if from any os { NMAP } pass on lo0 all - Cabral Bandeira - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
quais as regras do ipfw? set optimization normal set ruleset-optimization basic set timeout interval 10 set timeout frag 30 set skip on lo0 set debug none set limit frags 4096 set state-policy floating set require-order yes if = en1 scrub in all # Quebra pacotes mal formados scrub all reassemble tcp scrub out all no-df max-mss 1492 random-id antispoof for $if inet #icmp_types=echoreq block in pass out # loopback is good pass in quick on lo0 all pass out quick on lo0 all antispoof quick for $if inet # allow icmp #pass in inet proto icmp all icmp-type $icmp_types block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0 # allow dns queries pass out on $if proto udp from any to any port 53 # pass http traffic pass out on $if proto tcp from $if to any port 80 flags S/SA # pass ftp traffic pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA pass in quick inet proto { tcp, udp } from any to any port = 16000 pass out quick inet proto { tcp, udp } from any to any port = 16000 pass in quick inet proto { tcp, udp } from any to any port = 16003 pass out quick inet proto { tcp, udp } from any to any port = 16003 pass in quick inet proto { tcp, udp } from any to any port = 51413 pass out quick inet proto { tcp, udp } from any to any port = 51413 pass in quick inet proto { tcp, udp } from any to any port = 38772 pass out quick inet proto { tcp, udp } from any to any port = 38772 pass in quick inet proto udp from any to any port = 123 pass out quick inet proto udp from any to any port = 123 pass in quick inet proto udp from any to any port = 192 pass out quick inet proto udp from any to any port = 192 pass in quick inet proto tcp from any to any port = 443 pass out quick inet proto tcp from any to any port = 443 pass in quick inet proto tcp from any to any port = 548 pass out quick inet proto tcp from any to any port = 548 pass in quick inet proto udp from any to any port = 5353 pass out quick inet proto udp from any to any port = 5353 # Ativa a proteção contra falsificações para todas as interfaces block in quick from urpf-failed # block scans com nmap block in quick proto tcp flags FUP/WEUAPRSF block in quick proto tcp flags WEUAPRSF/WEUAPRSF block in quick proto tcp flags SRAFU/WEUAPRSF block in quick proto tcp flags /WEUAPRSF block in quick proto tcp flags SR/SR block in quick proto tcp flags SF/SF block drop in quick on $if from any os { NMAP } pass on lo0 all - Cabral Bandeira - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
São equivalentes: set skip on lo0 # loopback is good pass in quick on lo0 all pass out quick on lo0 all - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] pf e ipfw juntos.
Li na lista o Patrick comentando sobre o pf. http://www.fug.com.br/historico/html/freebsd/2006-04/msg00588.html Nao pude filtrar lsrr, rr, etc de IP. Seria bom usar essas 3 regras no ipfw? ipfw add deny log tcp from any to any ipoptions ssrr,lsrr,rr ipfw add deny log tcp from any to any tcpflags syn,fin ipfw add deny log tcp from any to any tcpflags syn,rst Regras que uso abaixo. /sbin/ipfw zero /sbin/ipfw -f flush INTERFACE=en1 MAXSPEED=51200 RULENUM=00100 /usr/local/sbin/throttled -s $MAXSPEED -r $RULENUM -d 17779 -w 100 -d 17778 -w 25 -d 1 -w 1 -T || exit IP=any # skip your internal network, these rules are for 192.168.x.x /sbin/ipfw add $RULENUM skipto `expr $RULENUM + 1` ip from $IP to 192.168.0.0/16 out xmit $INTERFACE #prioritize empty acks and setup /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any out xmit $INTERFACE tcpflags ack iplen 0-70 /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any setup out xmit $INTERFACE #prioritize icmp /sbin/ipfw add $RULENUM divert 17779 icmp from any to any out xmit $INTERFACE # these rules allow http/https/ssh/telnet/pop/irc/sirc # to be prioritized by the throttle. # # Setting up the configuration this way catches more file transfer types # and minimizes lag in response driven services. #prioritize nameserver lookups /sbin/ipfw add $RULENUM divert 17779 tcp from $IP to any 53 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17779 udp from $IP to any 53 out xmit $INTERFACE #prioritize iTunes /sbin/ipfw add $RULENUM divert 17778 tcp from $IP 3689 to any out xmit $INTERFACE # prioritize Skype /sbin/ipfw add $RULENUM divert 17778 udp from $IP 16000 to any out xmit $INTERFACE #prioritize imap /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 587 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 993 out xmit $INTERFACE #prioritize Apple /sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 192 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17778 udp from $IP to any 5353 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 548 out xmit $INTERFACE #prioritize http/https /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 80 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 443 out xmit $INTERFACE #prioritize msn /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 1863 out xmit $INTERFACE #prioritize irc /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6667 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 17778 tcp from $IP to any 6668 out xmit $INTERFACE #prioritize torrent /sbin/ipfw add $RULENUM divert 1 tcp from $IP to any 51413 out xmit $INTERFACE /sbin/ipfw add $RULENUM divert 1 udp from $IP to any 51413 out xmit $INTERFACE #bind to throttle low priority services. /sbin/ipfw add $RULENUM divert 1 ip from $IP to any out xmit $INTERFACE - Cabral Bandeira Em 17/07/2011, às 18:41, Rodrigo Mosconi escreveu: quais as regras do ipfw? set optimization normal set ruleset-optimization basic set timeout interval 10 set timeout frag 30 set skip on lo0 set debug none set limit frags 4096 set state-policy floating set require-order yes if = en1 scrub in all # Quebra pacotes mal formados scrub all reassemble tcp scrub out all no-df max-mss 1492 random-id antispoof for $if inet #icmp_types=echoreq block in pass out # loopback is good pass in quick on lo0 all pass out quick on lo0 all antispoof quick for $if inet # allow icmp #pass in inet proto icmp all icmp-type $icmp_types block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0 # allow dns queries pass out on $if proto udp from any to any port 53 # pass http traffic pass out on $if proto tcp from $if to any port 80 flags S/SA # pass ftp traffic pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA pass in quick inet proto { tcp, udp } from any to any port = 16000 pass out quick inet proto { tcp, udp } from any to any port = 16000 pass in quick inet proto { tcp, udp } from any to any port = 16003 pass out quick inet proto { tcp, udp } from any to any port = 16003 pass in quick inet proto { tcp, udp } from any to any port = 51413 pass out quick inet proto { tcp, udp } from any to any port = 51413 pass in quick inet proto { tcp, udp } from any to any port = 38772 pass out quick inet proto { tcp, udp } from any to any port = 38772 pass in quick inet proto udp from any to any port = 123 pass out quick inet proto udp from any to any port = 123 pass in quick inet proto udp from any to any port = 192 pass out quick inet proto udp from any to any port = 192 pass in quick inet proto tcp from any to any port = 443 pass out quick inet proto tcp from any to any port = 443 pass in quick inet proto tcp from any to any port = 548 pass out quick inet proto tcp from any to any port = 548 pass in quick inet proto udp from