[OpenBSD-BR] router firewall basico
Cleyton Bertolim
cbertolim em gmail.com
Quarta Agosto 1 09:11:39 BRT 2007
Ola Luiz!!!
Bem vindo ao mundo OpenBSD e PF!!!!!
Olha, primeira coisa que te aconselho e ler este link:
http://openbsd.das.ufsc.br/faq/pf/pt/index.html, pois nele voce
encontra muita coisa sobre PF e como configura-lo.
Tambem estou lhe enviando um exemplo de utilizacao do PF que tenho
rodando aqui, tambem com dois links de internet.
### INICIO DO ARQUIVO ######
############################################################
### Macros #################################################
############################################################
internal = "vr0"
wts_vpn = "rl0"
external = "rl1"
mpd = "ng0"
local_net = "192.168.247.0/24"
ip_fw_internal = "192.168.247.254"
ip_fw_external = "10.1.1.2"
ip_fw_wts_vpn = "201.x.x.10"
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \
172.16.0.0/12, 0.0.0.0/8, 169.254.0.0/16, \
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \
255.255.255.255/32 }"
table <caixa_ips> { 200.201.173.68 200.201.173.68/32 \
200.201.166.200 200.201.166.200/32 200.201.174.207 \
200.201.174.207/32 200.252.47.0/24 200.201.160.0/20 \
200.201.0.0/16 200.165.60.137/32 200.242.61.4 \
200.201.173.0/32 }
#--- LOG de estatisticas de filtragem ------------------####
set block-policy drop
set loginterface $external
set loginterface $wts_vpn
set state-policy if-bound
#--- Nao filtra na interface loopback e NG0 ------------####
set skip on lo0
set skip on $mpd
#--- faz scrub em pacotes que chegam -------------------####
scrub on { $external $internal $wts_vpn } all reassemble tcp
############################################################
### NAT dos enderecos IP internos do range ###
### 192.168.247.0/24 para o endereco IP roteavel/valido ###
### da interface rl0 ###
############################################################
nat pass on $external from $local_net to any -> $external
nat pass on $wts_vpn from $local_net to any -> $wts_vpn
############################################################
### Proxy transparente #####################################
############################################################
rdr pass on $internal inet proto tcp from $local_net to any port 3389
-> $ip_fw_wts_vpn
rdr pass on $internal inet proto tcp from $local_net to !<caixa_ips>
port 80 -> $ip_fw_internal port 3128
############################################################
### Filtragem de pacotes ###################################
############################################################
block all
antispoof quick for { $internal $external $wts_vpn } inet
#--- Loopback @ 127.0.0.1/8 ----------------------------####
pass out quick on lo0 all
pass in quick on lo0 all
#--- NG0 @ 192.168.247.1/24 ----------------------------####
pass out quick on $mpd all modulate state
pass in quick on $mpd all modulate state
#--- Rede Local @ 192.168.247.254/24 -------------------####
pass out quick on $internal all modulate state
pass in quick on $internal all modulate state
pass in quick on $internal inet proto icmp all modulate state
#--- Link BrT/WTS_VPN @ 201.x.x.10/29 ----------------####
block drop out log quick on $wts_vpn from any to $nonroutable
pass out quick on $wts_vpn from any to any modulate state
pass in log quick on $wts_vpn inet proto tcp from 201.x.x.154 to
$ip_fw_wts_vpn port 1723 flags S/SA synproxy state
pass in log quick on $wts_vpn inet proto tcp from any to
$ip_fw_wts_vpn port 50000 flags S/SA synproxy state
block drop in log quick on $wts_vpn inet proto tcp from any to any flags FUP/FUP
block drop in log quick on $wts_vpn inet proto tcp from any to any flags SF/SFRA
block drop in log quick on $wts_vpn inet proto tcp from any to any flags /SFRA
block drop in quick on $wts_vpn proto tcp from any to any port = 113
block drop in log quick on $wts_vpn inet proto icmp from any to any
icmp-type redir
block drop in log quick on $wts_vpn from $nonroutable to any
block drop in log quick on $wts_vpn all
block return
#--- Link BrT/ADSL @ 10.1.1.2/8 -------------------------####
block drop out log quick on $external from any to $nonroutable
pass out quick on $external from any to any modulate state
pass in log quick on $external inet proto tcp from any to
$ip_fw_external port 50000 flags S/SA synproxy state
block drop in log quick on $external inet proto tcp from any to any
flags FUP/FUP
block drop in log quick on $external inet proto tcp from any to any
flags SF/SFRA
block drop in log quick on $external inet proto tcp from any to any flags /SFRA
block drop in quick on $external proto tcp from any to any port = 113
block drop in log quick on $external inet proto icmp from any to any
icmp-type redir
block drop in log quick on $external from $nonroutable to any
block drop in log quick on $external all
block return
###### FINAL DO ARQUIVO ###########
Espero que ajude!!!!
Cleyton Bertolim.
Em 31/07/07, Luiz Noal<luiznoal.openbsd em gmail.com> escreveu:
> ola lista
> sou novato em openbsd e gostaria entender, manter e modificar um pequeno
> firewall/router que herdei.
> tenho um link de internet, uma man, uma dmz, uma lan e proxy transparente.
>
> gostaria de adicionar um segundo link com a internet, balancear o trafego
> que sai para a internet (se possível fazer com que um link assuma quando
> outro cai apenas para o que sai para a internet), permitir que uma ou outra
> maquina com serviços específicos esporadicamente executados em porta alta
> mantenham suas conexoes de retorno.
>
> eis aqui um esboço do que seria o pf.conf, o qual ainda não está em produção
> por pura falta de conhecimento:
> desde ja, grato.
>
> ########################################################
> # redes interligadas
> # lan = 10.20.30.0/24
> # man = 10.0.0.0/8
> # dmz = 10.1.1.0/29
> #
> # gateways adsl e satelite
> # gw adsl = 192.168.1.1
> # gw sat = 192.168.2.1
> #
> # ip das interfaces
> # rl0 = man 10.0.0.3
> # rl1 = adsl 192.168.1.3
> # rl2 = lan 10.20.30.3
> # rl3 = sat 192.168.2.3
> # rl4 = dmz 10.1.1.3
>
> ########################################################
> # Normalizacao de pacotes
> scrub all
>
> ########################################################
> # Mascarando trafego de saida da lan para internet e man
> nat on rl0 from 10.20.30.0/24 to any -> rl0
> nat on rl1 from 10.20.30.0/24 to any -> rl1
> nat on rl3 from 10.20.30.0/24 to any -> rl3
>
> #######################################################
> # Mascarando trafego de saida da dmz para internet e man
> nat on rl0 from 10.1.1.0/29 to any -> rl0
> nat on rl1 from 10.1.1.0/29 to any -> rl1
> nat on rl3 from 10.1.1.0/29 to any -> rl3
>
> ########################################################
> # Redirecionando entrada da internet para a dmz
> rdr on rl1 proto tcp from any to 192.168.1.3 port 80 -> 10.1.1.1
>
> ########################################################
> # Redirecionando entrada da man para a dmz
> rdr on rl0 proto tcp from any to 10.0.0.3 port 80 -> 10.1.1.1
>
> ########################################################
> # Redirecioando saida www da lan para proxy
> rdr on rl2 proto tcp from 10.20.30.0/24 to !10.0.0.0/8 port 80 -> 127.0.0.1
> port 3128
>
> ########################################################
> # Balanceando o trafego de saida para a internet
> pass in on rl2 route-to { (192.168.1.3 192.168.1.1), (192.168.2.3
> 192.168.2.1) } round-robin from 10.20.30.0/24 to !10.0.0.0/8 keep state
>
> ########################################################
> # Roteamento de saida pelas interfaces dos gw satelite e adsl
> pass out on rl1 route-to (rl3 192.168.2.1) from rl3 to any
> pass out on lr3 route-to (rl1 192.168.1.1) from rl1 to any
>
> ########################################################
> # ruindows nao navega
> block in quick on rl2 from any os "Windows .NET"
> block in quick on rl2 from any os "Windows 2003"
> block in quick on rl2 from any os "Windows 2000"
> block in quick on rl2 from any os "Windows XP"
> block in quick on rl2 from any os "Windows NT"
> block in quick on rl2 from any os "Windows ME"
> block in quick on rl2 from any os "Windows CE"
> block in quick on rl2 from any os "Windows 98"
> block in quick on rl2 from any os "Windows 95"
> block in quick on rl2 from any os "Windows 3.11"
>
> ########################################################
> pass all
>
> ######## eof ###########################################
>
> _______________________________________________
> OpenBSD mailing list
> OpenBSD em openbsd-br.org
> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>
>
Mais detalhes sobre a lista de discussão OpenBSD