[OpenBSD-BR] router firewall basico
Luiz Noal
luiznoal.openbsd em gmail.com
Terça Julho 31 21:58:32 BRT 2007
ola lista
sou novato em openbsd e gostaria entender, manter e modificar um pequeno
firewall/router que herdei.
tenho um link de internet, uma man, uma dmz, uma lan e proxy transparente.
gostaria de adicionar um segundo link com a internet, balancear o trafego
que sai para a internet (se possível fazer com que um link assuma quando
outro cai apenas para o que sai para a internet), permitir que uma ou outra
maquina com serviços específicos esporadicamente executados em porta alta
mantenham suas conexoes de retorno.
eis aqui um esboço do que seria o pf.conf, o qual ainda não está em produção
por pura falta de conhecimento:
desde ja, grato.
########################################################
# redes interligadas
# lan = 10.20.30.0/24
# man = 10.0.0.0/8
# dmz = 10.1.1.0/29
#
# gateways adsl e satelite
# gw adsl = 192.168.1.1
# gw sat = 192.168.2.1
#
# ip das interfaces
# rl0 = man 10.0.0.3
# rl1 = adsl 192.168.1.3
# rl2 = lan 10.20.30.3
# rl3 = sat 192.168.2.3
# rl4 = dmz 10.1.1.3
########################################################
# Normalizacao de pacotes
scrub all
########################################################
# Mascarando trafego de saida da lan para internet e man
nat on rl0 from 10.20.30.0/24 to any -> rl0
nat on rl1 from 10.20.30.0/24 to any -> rl1
nat on rl3 from 10.20.30.0/24 to any -> rl3
#######################################################
# Mascarando trafego de saida da dmz para internet e man
nat on rl0 from 10.1.1.0/29 to any -> rl0
nat on rl1 from 10.1.1.0/29 to any -> rl1
nat on rl3 from 10.1.1.0/29 to any -> rl3
########################################################
# Redirecionando entrada da internet para a dmz
rdr on rl1 proto tcp from any to 192.168.1.3 port 80 -> 10.1.1.1
########################################################
# Redirecionando entrada da man para a dmz
rdr on rl0 proto tcp from any to 10.0.0.3 port 80 -> 10.1.1.1
########################################################
# Redirecioando saida www da lan para proxy
rdr on rl2 proto tcp from 10.20.30.0/24 to !10.0.0.0/8 port 80 ->
127.0.0.1port 3128
########################################################
# Balanceando o trafego de saida para a internet
pass in on rl2 route-to { (192.168.1.3 192.168.1.1), (192.168.2.3
192.168.2.1) } round-robin from 10.20.30.0/24 to !10.0.0.0/8 keep state
########################################################
# Roteamento de saida pelas interfaces dos gw satelite e adsl
pass out on rl1 route-to (rl3 192.168.2.1) from rl3 to any
pass out on lr3 route-to (rl1 192.168.1.1) from rl1 to any
########################################################
# ruindows nao navega
block in quick on rl2 from any os "Windows .NET"
block in quick on rl2 from any os "Windows 2003"
block in quick on rl2 from any os "Windows 2000"
block in quick on rl2 from any os "Windows XP"
block in quick on rl2 from any os "Windows NT"
block in quick on rl2 from any os "Windows ME"
block in quick on rl2 from any os "Windows CE"
block in quick on rl2 from any os "Windows 98"
block in quick on rl2 from any os "Windows 95"
block in quick on rl2 from any os "Windows 3.11"
########################################################
pass all
######## eof ###########################################
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.openbsd-br.org/pipermail/openbsd/attachments/20070731/206308c9/attachment.html
Mais detalhes sobre a lista de discussão OpenBSD