[OpenBSD-BR] pf.conf - ajuda por favor - urgente
Vagner Gonçalves
vagner em vrvinfo.com.br
Sexta Junho 8 23:28:06 BRT 2007
Iran Lima escreveu:
> seria assim
>
> ext_if="rl0" #PLACA DE REDE EXTERNA #192.168.0.254
> int_if="fxp0" #PLACA DE REDE INTERNA #10.0.0.1
>
> #### para saida
> nat on $inf_if from !($inf_if ) to any -> $inf_if
>
> ######## para entrada
> nat on $ext_if from !($ext_if) to any -> $ext_if
>
>
>
>
> Em 08/06/07, Vagner Gonçalves<vagner em vrvinfo.com.br> escreveu:
>
>> Iran Lima escreveu:
>>
>>> obrigrado fabio por ter lido e respondido meu email , bom estou
>>> tentando liberar o outlook express e o incredimail da minha rede
>>> interna que é 10.0.0.x para internet que é 192.168.0.x, lembrando que
>>> já consigo navegar e o squid já esta funcionando, veja no email anterior
>>>
>>> source -> destination
>>> 10.0.0.x ->192.168.0.X
>>> rl0 -> fxp0
>>>
>>>
>>> se você pode me ajuda ficarei muito grato
>>>
>>> Atenciosamente
>>>
>>> Iran Lima
>>> aprendiz de openbsd
>>>
>>>
>>>
>>> Em 08/06/07, *Fabio Sbano* <fsbano em gmail.com
>>> <mailto:fsbano em gmail.com>> escreveu:
>>>
>>> Iran,
>>>
>>> O que você está tentando fazer??... poderia me dizer o que você quer
>>> fazer exatamente... liberar de onde para onde?
>>>
>>> source -> destination
>>>
>>> On 6/8/07, Iran Lima <openbsd.iran em gmail.com
>>> <mailto:openbsd.iran em gmail.com>> wrote:
>>> >
>>> >
>>> > Caros amigos do openbsd, estou precisando de ajuda no PF.CONF,
>>> não sou muito
>>> > bom, ainda, no pf.conf mais com ajuda de vocês tenho certeza que
>>> vou chegar
>>> > lá
>>> >
>>> > Bom vamos ao problemas, tenho uma maquina Pentium 3 com 128Mb de
>>> Ram e HD de
>>> > 20GB instalei o openbsd 4.0 puro, depois o squid 2.6 stable 12,
>>> tudo ok,
>>> > agora estou precisando liberar na minha rede interna o outlook
>>> express e o
>>> > incredimail que usa as portas smtp(25, 465), pop3(110, 995)
>>> coloque as
>>> > seguintes regras no pf.conf
>>> >
>>> > ######## INICIO
>>> >
>>> > # MACROS
>>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254> internet
>>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1> rede local
>>> >
>>> > ###############
>>> > set loginterface $ext_if
>>> > set skip on lo0
>>> >
>>> > ##############
>>> > scrub in all
>>> >
>>> > ######## NAT
>>> > nat on $ext_if from !($ext_if) -> ($ext_if)
>>> >
>>> > ######## SQUID
>>> > rdr on $int_if inet proto tcp from any to any port www ->
>>> 127.0.0.1 <http://127.0.0.1> port
>>> > 3128
>>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port 3128 keep state
>>> > pass out on $ext_if inet proto tcp from any to any port www keep
>>> state
>>> >
>>> >
>>> >
>>> > antispoof quick for $int_if inet
>>> >
>>> > ### Loopback
>>> > pass out quick on lo0 from any to any
>>> > pass in quick on lo0 from any to any
>>> >
>>> >
>>> > ### Rede Local
>>> > pass out quick on $int_if from any to any keep state
>>> > pass in quick on $int_if from any to any keep state
>>> >
>>> > pass out quick on $ext_if from any to any keep state
>>> > pass in log quick on $ext_if inet proto tcp from any to any port
>>> 50000 flags
>>> > S/SA keep state
>>> >
>>> > ######### Fim
>>> >
>>> > O squid funciona que é uma beleza mais o outlook e o incredmail
>>> tá difícil,
>>> > agradeço a ajuda de todos e o tempo - muito obrigado
>>> >
>>> >
>>> > ####### MAIS INFORMAÇÕES
>>> >
>>> > # pfctl -sn
>>> > nat on rl0 from ! (rl0) to any -> (rl0) round-robin
>>> > rdr on rl1 inet proto tcp from any to any port = www ->
>>> 127.0.0.1 <http://127.0.0.1> port 3128
>>> >
>>> > # pfctl -sr
>>> > scrub in all fragment reassemble
>>> > pass in on rl1 inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port = 3128 keep state
>>> > pass out on rl0 inet proto tcp from any to any port = www keep state
>>> > block drop in quick on ! rl1 inet from 10.0.0.0/24
>>> <http://10.0.0.0/24> to any
>>> > block drop in quick inet from 10.0.0.1 <http://10.0.0.1> to any
>>> > pass out quick on lo0 all
>>> > pass in quick on lo0 all
>>> > pass out quick on rl1 all keep state
>>> > pass in quick on rl1 all keep state
>>> > pass out quick on rl0 all keep state
>>> > pass in log quick on rl0 inet proto tcp from any to any port =
>>> 50000 flags
>>> > S/SA keep state
>>> >
>>> > # ps aux | grep squid
>>> > root 26082 0.0 0.0 1104 4 ?? IWs 7:35AM 0:00.05
>>> > /usr/local/squid/sbin/squid
>>> > nobody 894 0.0 10.8 5352 3476
>>> ?? S 7:35AM 0:11.53 (squid)
>>> > (squid)
>>> > root 4519 0.0 1.0 336 312 p1 R+
>>> 8:31AM 0:00.12 grep squid
>>> >
>>> > ######### ALGUMAS TENTATIVAS
>>> >
>>> > ###### INICIO 01
>>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
>>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
>>> >
>>> >
>>> > tcp_services="{ 21, 25, 110, 465, 995 }"
>>> > udpports="{ domain }"
>>> > # icmp_types="echoreq"
>>> >
>>> > ########
>>> > set optimization aggressive
>>> >
>>> > #############
>>> > scrub in
>>> >
>>> > ######## NAT
>>> > nat on $ext_if from !($ext_if) -> ($ext_if)
>>> >
>>> > ######## SQUID
>>> > rdr on $int_if inet proto tcp from any to any port www ->
>>> 127.0.0.1 <http://127.0.0.1> port
>>> > 3128
>>> > #rdr on $int_if proto tcp from any to any port 25 -> 127.0.0.1
>>> <http://127.0.0.1> port 8025
>>> > #rdr on $int_if proto tcp from any to any port 110 -> 127.0.0.1
>>> <http://127.0.0.1> port 8110
>>> >
>>> > rdr on $int_if inet proto tcp from any to any port 25 ->
>>> 127.0.0.1 <http://127.0.0.1> port 8025
>>> > rdr on $int_if inet proto tcp from any to any port 110 ->
>>> 127.0.0.1 <http://127.0.0.1> port
>>> > 8110
>>> >
>>> > pass in quick on lo0 all
>>> > pass out quick on lo0 all
>>> >
>>> > pass in quick on $int_if all
>>> > pass out quick on $int_if all
>>> >
>>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port 3128 keep state
>>> > pass out on $ext_if inet proto tcp from any to any port www keep
>>> state
>>> >
>>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port 8025 keep state
>>> > pass out on $ext_if inet proto tcp from any to any port smtp
>>> keep state
>>> >
>>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port 8110 keep state
>>> > pass out on $ext_if inet proto tcp from any to any port pop3
>>> keep state
>>> >
>>> > pass in on $ext_if inet proto tcp from any to $int_if port
>>> $tcp_services
>>> > flags S/SA keep state
>>> > pass in on $ext_if inet proto tcp from any to $int_if port
>>> $udpports flags
>>> > S/SA keep state
>>> > pass in on $int_if inet proto tcp from any to $ext_if port
>>> $tcp_services
>>> > flags S/SA keep state
>>> > pass in on $int_if inet proto tcp from any to $ext_if port
>>> $udpports flags
>>> > S/SA keep state
>>> > pass out on $int_if proto tcp from $ext_if to any flags S/S keep
>>> state
>>> > pass out on $int_if proto udp from $ext_if to any keep state
>>> >
>>> > pass out on $ext_if proto tcp from $ext_if to any flags S/S keep
>>> state
>>> > pass out on $ext_if proto udp from $ext_if to any keep state
>>> >
>>> > ############################ FIM 01
>>> >
>>> >
>>> >
>>> > ################## INICIO 02
>>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
>>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
>>> >
>>> >
>>> > ######### email
>>> > tcp_pass = { ftp ssh smtp domain http pop3 }
>>> > udp_pass = { domain ntp }
>>> >
>>> > ########
>>> > set optimization aggressive
>>> >
>>> > #############
>>> > scrub in
>>> >
>>> > ######## NAT
>>> > nat on $ext_if from !($ext_if) -> ($ext_if)
>>> >
>>> >
>>> > ######## SQUID
>>> > rdr on $int_if inet proto tcp from any to any port www ->
>>> 127.0.0.1 <http://127.0.0.1> port
>>> > 3128
>>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
>>> <http://127.0.0.1> port 3128 keep state
>>> > pass out on $ext_if inet proto tcp from any to any port www keep
>>> state
>>> >
>>> >
>>> > antispoof for { rl0, rl1 } inet
>>> >
>>> > pass out on { rl0, rl1 } proto tcp to any port $tcp_pass
>>> > pass out on { rl0, rl1 } proto udp to any port $udp_pass
>>> >
>>> >
>>> > pass out on $ext_if inet proto tcp all flags S/SA keep state
>>> > pass out on $ext_if inet proto { udp, icmp } all keep state
>>> >
>>> > pass in on $ext_if proto tcp from any to $int_if port = www keep
>>> state
>>> > pass in on $ext_if proto tcp from any to $int_if port = smtp
>>> keep state
>>> > pass in on $ext_if proto tcp from any to $int_if port = pop3
>>> keep state
>>> >
>>> >
>>> > ############################ FIM 02
>>> >
>>> > todas as tentativas acima foram sem sucesso
>>> >
>>> >
>>> > Iran Lima
>>> > aprendiz do openbsd
>>> >
>>> >
>>> > _______________________________________________
>>> > OpenBSD mailing list
>>> > OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
>>> > http://listas.openbsd-br.org/mailman/listinfo/openbsd
>>> >
>>> >
>>> _______________________________________________
>>> OpenBSD mailing list
>>> OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
>>> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> OpenBSD mailing list
>>> OpenBSD em openbsd-br.org
>>>
>>> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>>>
>>>
>> Boa noite...
>> Deixa eu ver se entendi...
>>
>> Vc quer liberar suas maquinas de sua lan para enviar e receber email´s
>> na net?
>>
>>
>> se sim, não precisa de rdr somente o nat para saida .....!
>>
>>
>> Espero ter ajudado.
>>
>>
>> Vagner Gonçalves (Slayer)
>> _______________________________________________
>> OpenBSD mailing list
>> OpenBSD em openbsd-br.org
>> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>>
>>
> _______________________________________________
> OpenBSD mailing list
> OpenBSD em openbsd-br.org
> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>
>
>
Para as maquinas acessarem a net vc precisa alterar somente disso ->
lan="192.168.0.0/24"
nat on ext_if from $lan to any -> ($ext_if)
E eh sempre bom perguntar....vc abilitou o ip forwarding no
/etc/sysctl.conf?
Mas existe um exemploo perfeito para vc enternder em
http://www.openbsd.org/faq/pf/example1.html
com certeza nesse exemplo todas as suas duvidas serao sanadas..!
Vagner Gonçalves (Slayer)
Mais detalhes sobre a lista de discussão Openbsd