[OpenBSD-BR] pf.conf - ajuda por favor - urgente

Fabio Sbano fsbano em gmail.com
Sexta Junho 8 14:40:20 BRT 2007 

Iran,

 O que você está tentando fazer??... poderia me dizer o que você quer
fazer exatamente... liberar de onde para onde?

source -> destination

On 6/8/07, Iran Lima <openbsd.iran em gmail.com> wrote:
>
>
> Caros amigos do openbsd, estou precisando de ajuda no PF.CONF, não sou muito
> bom, ainda, no pf.conf mais com ajuda de vocês tenho certeza que vou chegar
>>
> Bom vamos ao problemas, tenho uma maquina Pentium 3 com 128Mb de Ram e HD de
> 20GB instalei o openbsd 4.0 puro, depois o squid 2.6 stable 12, tudo ok,
> agora estou precisando liberar na minha rede interna o outlook express e o
> incredimail que usa as portas smtp(25, 465), pop3(110, 995) coloque as
> seguintes regras no pf.conf
>
> ######## INICIO
>
> # MACROS
> ext_if="rl0" # 192.168.0.254 internet
> int_if="rl1" # 10.0.0.1      rede local
>
> ###############
> set loginterface $ext_if
> set skip on lo0
>
> ##############
> scrub in all
>
> ######## NAT
> nat on $ext_if from !($ext_if) -> ($ext_if)
>
> ######## SQUID
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
>
>
>
> antispoof quick for $int_if inet
>
> ### Loopback
> pass out quick on lo0 from any to any
> pass in quick on lo0 from any to any
>
>
> ### Rede Local
> pass out quick on $int_if from any to any keep state
> pass in quick on $int_if from any to any keep state
>
> pass out quick on $ext_if from any to any keep state
> pass in log quick on $ext_if inet proto tcp from any to any port 50000 flags
> S/SA keep state
>
> ######### Fim
>
> O squid funciona que é uma beleza mais o outlook e o incredmail tá difícil,
> agradeço a ajuda de todos e o tempo - muito obrigado
>
>
> ####### MAIS INFORMAÇÕES
>
> # pfctl -sn
> nat on rl0 from ! (rl0) to any -> (rl0) round-robin
> rdr on rl1 inet proto tcp from any to any port = www -> 127.0.0.1 port 3128
>
> # pfctl -sr
> scrub in all fragment reassemble
> pass in on rl1 inet proto tcp from any to 127.0.0.1 port = 3128 keep state
> pass out on rl0 inet proto tcp from any to any port = www keep state
> block drop in quick on ! rl1 inet from 10.0.0.0/24 to any
> block drop in quick inet from 10.0.0.1 to any
> pass out quick on lo0 all
> pass in quick on lo0 all
> pass out quick on rl1 all keep state
> pass in quick on rl1 all keep state
> pass out quick on rl0 all keep state
> pass in log quick on rl0 inet proto tcp from any to any port = 50000 flags
> S/SA keep state
>
> # ps aux | grep squid
> root     26082  0.0  0.0  1104     4 ??  IWs    7:35AM    0:00.05
> /usr/local/squid/sbin/squid
> nobody     894  0.0 10.8  5352  3476 ??  S      7:35AM    0:11.53 (squid)
> (squid)
> root      4519  0.0  1.0   336   312 p1  R+     8:31AM    0:00.12 grep squid
>
> ######### ALGUMAS TENTATIVAS
>
> ###### INICIO 01
> ext_if="rl0" # 192.168.0.254
> int_if="rl1" # 10.0.0.1
>
>
> tcp_services="{ 21, 25, 110, 465, 995 }"
> udpports="{ domain }"
> # icmp_types="echoreq"
>
> ########
> set optimization aggressive
>
> #############
> scrub in
>
> ######## NAT
> nat on $ext_if from !($ext_if) -> ($ext_if)
>
> ######## SQUID
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> #rdr on $int_if proto tcp from any to any port 25 -> 127.0.0.1 port 8025
> #rdr on $int_if proto tcp from any to any port 110 -> 127.0.0.1 port 8110
>
> rdr on $int_if inet proto tcp from any to any port 25 -> 127.0.0.1 port 8025
> rdr on $int_if inet proto tcp from any to any port 110 -> 127.0.0.1 port
> 8110
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> pass in quick on $int_if all
> pass out quick on $int_if all
>
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
>
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8025 keep state
> pass out on $ext_if inet proto tcp from any to any port smtp keep state
>
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8110 keep state
> pass out on $ext_if inet proto tcp from any to any port pop3 keep state
>
> pass in on $ext_if inet proto tcp from any to $int_if port $tcp_services
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to $int_if port $udpports flags
> S/SA keep state
> pass in on $int_if inet proto tcp from any to $ext_if port $tcp_services
> flags S/SA keep state
> pass in on $int_if inet proto tcp from any to $ext_if port $udpports flags
> S/SA keep state
> pass out on $int_if proto tcp from $ext_if to any flags S/S keep state
> pass out on $int_if proto udp from $ext_if to any keep state
>
> pass out on $ext_if proto tcp from $ext_if to any flags S/S keep state
> pass out on $ext_if proto udp from $ext_if to any keep state
>
> ############################ FIM 01
>
>
>
> ################## INICIO 02
> ext_if="rl0" # 192.168.0.254
> int_if="rl1" # 10.0.0.1
>
>
> ######### email
> tcp_pass = { ftp ssh smtp domain http pop3 }
> udp_pass = { domain ntp }
>
> ########
> set optimization aggressive
>
> #############
> scrub in
>
> ######## NAT
> nat on $ext_if from !($ext_if) -> ($ext_if)
>
>
> ######## SQUID
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
>
>
> antispoof for { rl0, rl1 } inet
>
> pass out on { rl0, rl1 } proto tcp to any port $tcp_pass
> pass out on { rl0, rl1 } proto udp to any port $udp_pass
>
>
> pass out on $ext_if inet proto tcp all flags S/SA keep state
> pass out on $ext_if inet proto { udp, icmp } all keep state
>
> pass in on $ext_if proto tcp from any to $int_if port = www keep state
> pass in on $ext_if proto tcp from any to $int_if port = smtp keep state
> pass in on $ext_if proto tcp from any to $int_if port = pop3 keep state
>
>
> ############################ FIM 02
>
> todas as tentativas acima foram sem sucesso
>
>
> Iran Lima
> aprendiz do openbsd
>
>
> _______________________________________________
> OpenBSD mailing list
> OpenBSD em openbsd-br.org
> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>
>

Mais detalhes sobre a lista de discussão Openbsd