[OpenBSD-BR] pf.conf - ajuda por favor - urgente

Vagner Gonçalves vagner em vrvinfo.com.br
Sexta Junho 8 20:57:07 BRT 2007 

Iran Lima escreveu:
> obrigrado fabio por ter lido e respondido meu email , bom estou 
> tentando liberar o outlook express e o incredimail da minha rede 
> interna que é 10.0.0.x para internet que é 192.168.0.x, lembrando que 
> já consigo navegar e o squid já esta funcionando,  veja no email anterior
>  
> source -> destination
> 10.0.0.x ->192.168.0.X
> rl0 -> fxp0
>  
>  
> se você pode me ajuda ficarei muito grato
>  
> Atenciosamente
>  
> Iran Lima
> aprendiz de openbsd
>
>
>  
> Em 08/06/07, *Fabio Sbano* <fsbano em gmail.com 
> <mailto:fsbano em gmail.com>> escreveu:
>
>     Iran,
>
>     O que você está tentando fazer??... poderia me dizer o que você quer
>     fazer exatamente... liberar de onde para onde?
>
>     source -> destination
>
>     On 6/8/07, Iran Lima <openbsd.iran em gmail.com
>     <mailto:openbsd.iran em gmail.com>> wrote:
>     >
>     >
>     > Caros amigos do openbsd, estou precisando de ajuda no PF.CONF,
>     não sou muito
>     > bom, ainda, no pf.conf mais com ajuda de vocês tenho certeza que
>     vou chegar
>     > lá
>     >
>     > Bom vamos ao problemas, tenho uma maquina Pentium 3 com 128Mb de
>     Ram e HD de
>     > 20GB instalei o openbsd 4.0 puro, depois o squid 2.6 stable 12,
>     tudo ok,
>     > agora estou precisando liberar na minha rede interna o outlook
>     express e o
>     > incredimail que usa as portas smtp(25, 465), pop3(110, 995)
>     coloque as
>     > seguintes regras no pf.conf
>     >
>     > ######## INICIO
>     >
>     > # MACROS
>     > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254> internet
>     > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>      rede local
>     >
>     > ###############
>     > set loginterface $ext_if
>     > set skip on lo0
>     >
>     > ##############
>     > scrub in all
>     >
>     > ######## NAT
>     > nat on $ext_if from !($ext_if) -> ($ext_if)
>     >
>     > ######## SQUID
>     > rdr on $int_if inet proto tcp from any to any port www ->
>     127.0.0.1 <http://127.0.0.1> port
>     > 3128
>     > pass in on $int_if inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port 3128 keep state
>     > pass out on $ext_if inet proto tcp from any to any port www keep
>     state
>     >
>     >
>     >
>     > antispoof quick for $int_if inet
>     >
>     > ### Loopback
>     > pass out quick on lo0 from any to any
>     > pass in quick on lo0 from any to any
>     >
>     >
>     > ### Rede Local
>     > pass out quick on $int_if from any to any keep state
>     > pass in quick on $int_if from any to any keep state
>     >
>     > pass out quick on $ext_if from any to any keep state
>     > pass in log quick on $ext_if inet proto tcp from any to any port
>     50000 flags
>     > S/SA keep state
>     >
>     > ######### Fim
>     >
>     > O squid funciona que é uma beleza mais o outlook e o incredmail
>     tá difícil,
>     > agradeço a ajuda de todos e o tempo - muito obrigado
>     >
>     >
>     > ####### MAIS INFORMAÇÕES
>     >
>     > # pfctl -sn
>     > nat on rl0 from ! (rl0) to any -> (rl0) round-robin
>     > rdr on rl1 inet proto tcp from any to any port = www ->
>     127.0.0.1 <http://127.0.0.1> port 3128
>     >
>     > # pfctl -sr
>     > scrub in all fragment reassemble
>     > pass in on rl1 inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port = 3128 keep state
>     > pass out on rl0 inet proto tcp from any to any port = www keep state
>     > block drop in quick on ! rl1 inet from 10.0.0.0/24
>     <http://10.0.0.0/24> to any
>     > block drop in quick inet from 10.0.0.1 <http://10.0.0.1> to any
>     > pass out quick on lo0 all
>     > pass in quick on lo0 all
>     > pass out quick on rl1 all keep state
>     > pass in quick on rl1 all keep state
>     > pass out quick on rl0 all keep state
>     > pass in log quick on rl0 inet proto tcp from any to any port =
>     50000 flags
>     > S/SA keep state
>     >
>     > # ps aux | grep squid
>     > root     26082  0.0  0.0  1104     4 ??  IWs    7:35AM    0:00.05
>     > /usr/local/squid/sbin/squid
>     > nobody     894  0.0 10.8  5352  3476
>     ??  S      7:35AM    0:11.53 (squid)
>     > (squid)
>     > root      4519  0.0  1.0   336   312 p1  R+    
>     8:31AM    0:00.12 grep squid
>     >
>     > ######### ALGUMAS TENTATIVAS
>     >
>     > ###### INICIO 01
>     > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
>     > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
>     >
>     >
>     > tcp_services="{ 21, 25, 110, 465, 995 }"
>     > udpports="{ domain }"
>     > # icmp_types="echoreq"
>     >
>     > ########
>     > set optimization aggressive
>     >
>     > #############
>     > scrub in
>     >
>     > ######## NAT
>     > nat on $ext_if from !($ext_if) -> ($ext_if)
>     >
>     > ######## SQUID
>     > rdr on $int_if inet proto tcp from any to any port www ->
>     127.0.0.1 <http://127.0.0.1> port
>     > 3128
>     > #rdr on $int_if proto tcp from any to any port 25 -> 127.0.0.1
>     <http://127.0.0.1> port 8025
>     > #rdr on $int_if proto tcp from any to any port 110 -> 127.0.0.1
>     <http://127.0.0.1> port 8110
>     >
>     > rdr on $int_if inet proto tcp from any to any port 25 ->
>     127.0.0.1 <http://127.0.0.1> port 8025
>     > rdr on $int_if inet proto tcp from any to any port 110 ->
>     127.0.0.1 <http://127.0.0.1> port
>     > 8110
>     >
>     > pass in quick on lo0 all
>     > pass out quick on lo0 all
>     >
>     > pass in quick on $int_if all
>     > pass out quick on $int_if all
>     >
>     > pass in on $int_if inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port 3128 keep state
>     > pass out on $ext_if inet proto tcp from any to any port www keep
>     state
>     >
>     > pass in on $int_if inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port 8025 keep state
>     > pass out on $ext_if inet proto tcp from any to any port smtp
>     keep state
>     >
>     > pass in on $int_if inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port 8110 keep state
>     > pass out on $ext_if inet proto tcp from any to any port pop3
>     keep state
>     >
>     > pass in on $ext_if inet proto tcp from any to $int_if port
>     $tcp_services
>     > flags S/SA keep state
>     > pass in on $ext_if inet proto tcp from any to $int_if port
>     $udpports flags
>     > S/SA keep state
>     > pass in on $int_if inet proto tcp from any to $ext_if port
>     $tcp_services
>     > flags S/SA keep state
>     > pass in on $int_if inet proto tcp from any to $ext_if port
>     $udpports flags
>     > S/SA keep state
>     > pass out on $int_if proto tcp from $ext_if to any flags S/S keep
>     state
>     > pass out on $int_if proto udp from $ext_if to any keep state
>     >
>     > pass out on $ext_if proto tcp from $ext_if to any flags S/S keep
>     state
>     > pass out on $ext_if proto udp from $ext_if to any keep state
>     >
>     > ############################ FIM 01
>     >
>     >
>     >
>     > ################## INICIO 02
>     > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
>     > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
>     >
>     >
>     > ######### email
>     > tcp_pass = { ftp ssh smtp domain http pop3 }
>     > udp_pass = { domain ntp }
>     >
>     > ########
>     > set optimization aggressive
>     >
>     > #############
>     > scrub in
>     >
>     > ######## NAT
>     > nat on $ext_if from !($ext_if) -> ($ext_if)
>     >
>     >
>     > ######## SQUID
>     > rdr on $int_if inet proto tcp from any to any port www ->
>     127.0.0.1 <http://127.0.0.1> port
>     > 3128
>     > pass in on $int_if inet proto tcp from any to 127.0.0.1
>     <http://127.0.0.1> port 3128 keep state
>     > pass out on $ext_if inet proto tcp from any to any port www keep
>     state
>     >
>     >
>     > antispoof for { rl0, rl1 } inet
>     >
>     > pass out on { rl0, rl1 } proto tcp to any port $tcp_pass
>     > pass out on { rl0, rl1 } proto udp to any port $udp_pass
>     >
>     >
>     > pass out on $ext_if inet proto tcp all flags S/SA keep state
>     > pass out on $ext_if inet proto { udp, icmp } all keep state
>     >
>     > pass in on $ext_if proto tcp from any to $int_if port = www keep
>     state
>     > pass in on $ext_if proto tcp from any to $int_if port = smtp
>     keep state
>     > pass in on $ext_if proto tcp from any to $int_if port = pop3
>     keep state
>     >
>     >
>     > ############################ FIM 02
>     >
>     > todas as tentativas acima foram sem sucesso
>     >
>     >
>     > Iran Lima
>     > aprendiz do openbsd
>     >
>     >
>     > _______________________________________________
>     > OpenBSD mailing list
>     > OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
>     > http://listas.openbsd-br.org/mailman/listinfo/openbsd
>     >
>     >
>     _______________________________________________
>     OpenBSD mailing list
>     OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
>     http://listas.openbsd-br.org/mailman/listinfo/openbsd
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OpenBSD mailing list
> OpenBSD em openbsd-br.org
>   
> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>   
Boa noite...
Deixa eu ver se entendi...

Vc quer liberar suas maquinas de sua lan para enviar e receber email´s 
na net?


se sim, não precisa de rdr somente o nat para saida .....!


Espero ter ajudado.


Vagner Gonçalves (Slayer)

Mais detalhes sobre a lista de discussão Openbsd