[OpenBSD-BR] Res: Re: pf.conf - ajuda por favor - urgente
Iran Lima
openbsd.iran em gmail.com
Domingo Junho 17 10:16:46 BRT 2007
Meu MSN é lbie2004 em hotmail.com
-------Mensagem original-------
De: Fabio Sbano
Data: 9/6/2007 08:56:45
Para: OpenBSD-BR
Assunto: Re: [OpenBSD-BR] pf.conf - ajuda por favor - urgente
Você tem msn?
Atenciosamente,
Fábio Sbano
On 6/8/07, Vagner Gonçalves <vagner em vrvinfo.com.br> wrote:
> Iran Lima escreveu:
> > seria assim
> >
> > ext_if="rl0" #PLACA DE REDE EXTERNA #192.168.0.254
> > int_if="fxp0" #PLACA DE REDE INTERNA #10.0.0.1
> >
> > #### para saida
> > nat on $inf_if from !($inf_if ) to any -> $inf_if
> >
> > ######## para entrada
> > nat on $ext_if from !($ext_if) to any -> $ext_if
> >
> >
> >
> >
> > Em 08/06/07, Vagner Gonçalves<vagner em vrvinfo.com.br> escreveu:
> >
> >> Iran Lima escreveu:
> >>
> >>> obrigrado fabio por ter lido e respondido meu email , bom estou
> >>> tentando liberar o outlook express e o incredimail da minha rede
> >>> interna que é 10.0.0.x para internet que é 192.168.0.x, lembrando que
> >>> já consigo navegar e o squid já esta funcionando, veja no email
anterior
> >>>
> >>> source -> destination
> >>> 10.0.0.x ->192.168.0.X
> >>> rl0 -> fxp0
> >>>
> >>>
> >>> se você pode me ajuda ficarei muito grato
> >>>
> >>> Atenciosamente
> >>>
> >>> Iran Lima
> >>> aprendiz de openbsd
> >>>
> >>>
> >>>
> >>> Em 08/06/07, *Fabio Sbano* <fsbano em gmail.com
> >>> <mailto:fsbano em gmail.com>> escreveu:
> >>>
> >>> Iran,
> >>>
> >>> O que você está tentando fazer??... poderia me dizer o que você
quer
> >>> fazer exatamente... liberar de onde para onde?
> >>>
> >>> source -> destination
> >>>
> >>> On 6/8/07, Iran Lima <openbsd.iran em gmail.com
> >>> <mailto:openbsd.iran em gmail.com>> wrote:
> >>> >
> >>> >
> >>> > Caros amigos do openbsd, estou precisando de ajuda no PF.CONF,
> >>> não sou muito
> >>> > bom, ainda, no pf.conf mais com ajuda de vocês tenho certeza que
> >>> vou chegar
> >>> > lá
> >>> >
> >>> > Bom vamos ao problemas, tenho uma maquina Pentium 3 com 128Mb de
> >>> Ram e HD de
> >>> > 20GB instalei o openbsd 4.0 puro, depois o squid 2.6 stable 12,
> >>> tudo ok,
> >>> > agora estou precisando liberar na minha rede interna o outlook
> >>> express e o
> >>> > incredimail que usa as portas smtp(25, 465), pop3(110, 995)
> >>> coloque as
> >>> > seguintes regras no pf.conf
> >>> >
> >>> > ######## INICIO
> >>> >
> >>> > # MACROS
> >>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254> internet
> >>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1> rede local
> >>> >
> >>> > ###############
> >>> > set loginterface $ext_if
> >>> > set skip on lo0
> >>> >
> >>> > ##############
> >>> > scrub in all
> >>> >
> >>> > ######## NAT
> >>> > nat on $ext_if from !($ext_if) -> ($ext_if)
> >>> >
> >>> > ######## SQUID
> >>> > rdr on $int_if inet proto tcp from any to any port www ->
> >>> 127.0.0.1 <http://127.0.0.1> port
> >>> > 3128
> >>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port 3128 keep state
> >>> > pass out on $ext_if inet proto tcp from any to any port www keep
> >>> state
> >>> >
> >>> >
> >>> >
> >>> > antispoof quick for $int_if inet
> >>> >
> >>> > ### Loopback
> >>> > pass out quick on lo0 from any to any
> >>> > pass in quick on lo0 from any to any
> >>> >
> >>> >
> >>> > ### Rede Local
> >>> > pass out quick on $int_if from any to any keep state
> >>> > pass in quick on $int_if from any to any keep state
> >>> >
> >>> > pass out quick on $ext_if from any to any keep state
> >>> > pass in log quick on $ext_if inet proto tcp from any to any port
> >>> 50000 flags
> >>> > S/SA keep state
> >>> >
> >>> > ######### Fim
> >>> >
> >>> > O squid funciona que é uma beleza mais o outlook e o incredmail
> >>> tá difícil,
> >>> > agradeço a ajuda de todos e o tempo - muito obrigado
> >>> >
> >>> >
> >>> > ####### MAIS INFORMAÇÕES
> >>> >
> >>> > # pfctl -sn
> >>> > nat on rl0 from ! (rl0) to any -> (rl0) round-robin
> >>> > rdr on rl1 inet proto tcp from any to any port = www ->
> >>> 127.0.0.1 <http://127.0.0.1> port 3128
> >>> >
> >>> > # pfctl -sr
> >>> > scrub in all fragment reassemble
> >>> > pass in on rl1 inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port = 3128 keep state
> >>> > pass out on rl0 inet proto tcp from any to any port = www keep
state
> >>> > block drop in quick on ! rl1 inet from 10.0.0.0/24
> >>> <http://10.0.0.0/24> to any
> >>> > block drop in quick inet from 10.0.0.1 <http://10.0.0.1> to any
> >>> > pass out quick on lo0 all
> >>> > pass in quick on lo0 all
> >>> > pass out quick on rl1 all keep state
> >>> > pass in quick on rl1 all keep state
> >>> > pass out quick on rl0 all keep state
> >>> > pass in log quick on rl0 inet proto tcp from any to any port =
> >>> 50000 flags
> >>> > S/SA keep state
> >>> >
> >>> > # ps aux | grep squid
> >>> > root 26082 0.0 0.0 1104 4 ?? IWs 7:35AM 0:00
05
> >>> > /usr/local/squid/sbin/squid
> >>> > nobody 894 0.0 10.8 5352 3476
> >>> ?? S 7:35AM 0:11.53 (squid)
> >>> > (squid)
> >>> > root 4519 0.0 1.0 336 312 p1 R+
> >>> 8:31AM 0:00.12 grep squid
> >>> >
> >>> > ######### ALGUMAS TENTATIVAS
> >>> >
> >>> > ###### INICIO 01
> >>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
> >>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
> >>> >
> >>> >
> >>> > tcp_services="{ 21, 25, 110, 465, 995 }"
> >>> > udpports="{ domain }"
> >>> > # icmp_types="echoreq"
> >>> >
> >>> > ########
> >>> > set optimization aggressive
> >>> >
> >>> > #############
> >>> > scrub in
> >>> >
> >>> > ######## NAT
> >>> > nat on $ext_if from !($ext_if) -> ($ext_if)
> >>> >
> >>> > ######## SQUID
> >>> > rdr on $int_if inet proto tcp from any to any port www ->
> >>> 127.0.0.1 <http://127.0.0.1> port
> >>> > 3128
> >>> > #rdr on $int_if proto tcp from any to any port 25 -> 127.0.0.1
> >>> <http://127.0.0.1> port 8025
> >>> > #rdr on $int_if proto tcp from any to any port 110 -> 127.0.0.1
> >>> <http://127.0.0.1> port 8110
> >>> >
> >>> > rdr on $int_if inet proto tcp from any to any port 25 ->
> >>> 127.0.0.1 <http://127.0.0.1> port 8025
> >>> > rdr on $int_if inet proto tcp from any to any port 110 ->
> >>> 127.0.0.1 <http://127.0.0.1> port
> >>> > 8110
> >>> >
> >>> > pass in quick on lo0 all
> >>> > pass out quick on lo0 all
> >>> >
> >>> > pass in quick on $int_if all
> >>> > pass out quick on $int_if all
> >>> >
> >>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port 3128 keep state
> >>> > pass out on $ext_if inet proto tcp from any to any port www keep
> >>> state
> >>> >
> >>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port 8025 keep state
> >>> > pass out on $ext_if inet proto tcp from any to any port smtp
> >>> keep state
> >>> >
> >>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port 8110 keep state
> >>> > pass out on $ext_if inet proto tcp from any to any port pop3
> >>> keep state
> >>> >
> >>> > pass in on $ext_if inet proto tcp from any to $int_if port
> >>> $tcp_services
> >>> > flags S/SA keep state
> >>> > pass in on $ext_if inet proto tcp from any to $int_if port
> >>> $udpports flags
> >>> > S/SA keep state
> >>> > pass in on $int_if inet proto tcp from any to $ext_if port
> >>> $tcp_services
> >>> > flags S/SA keep state
> >>> > pass in on $int_if inet proto tcp from any to $ext_if port
> >>> $udpports flags
> >>> > S/SA keep state
> >>> > pass out on $int_if proto tcp from $ext_if to any flags S/S keep
> >>> state
> >>> > pass out on $int_if proto udp from $ext_if to any keep state
> >>> >
> >>> > pass out on $ext_if proto tcp from $ext_if to any flags S/S keep
> >>> state
> >>> > pass out on $ext_if proto udp from $ext_if to any keep state
> >>> >
> >>> > ############################ FIM 01
> >>> >
> >>> >
> >>> >
> >>> > ################## INICIO 02
> >>> > ext_if="rl0" # 192.168.0.254 <http://192.168.0.254>
> >>> > int_if="rl1" # 10.0.0.1 <http://10.0.0.1>
> >>> >
> >>> >
> >>> > ######### email
> >>> > tcp_pass = { ftp ssh smtp domain http pop3 }
> >>> > udp_pass = { domain ntp }
> >>> >
> >>> > ########
> >>> > set optimization aggressive
> >>> >
> >>> > #############
> >>> > scrub in
> >>> >
> >>> > ######## NAT
> >>> > nat on $ext_if from !($ext_if) -> ($ext_if)
> >>> >
> >>> >
> >>> > ######## SQUID
> >>> > rdr on $int_if inet proto tcp from any to any port www ->
> >>> 127.0.0.1 <http://127.0.0.1> port
> >>> > 3128
> >>> > pass in on $int_if inet proto tcp from any to 127.0.0.1
> >>> <http://127.0.0.1> port 3128 keep state
> >>> > pass out on $ext_if inet proto tcp from any to any port www keep
> >>> state
> >>> >
> >>> >
> >>> > antispoof for { rl0, rl1 } inet
> >>> >
> >>> > pass out on { rl0, rl1 } proto tcp to any port $tcp_pass
> >>> > pass out on { rl0, rl1 } proto udp to any port $udp_pass
> >>> >
> >>> >
> >>> > pass out on $ext_if inet proto tcp all flags S/SA keep state
> >>> > pass out on $ext_if inet proto { udp, icmp } all keep state
> >>> >
> >>> > pass in on $ext_if proto tcp from any to $int_if port = www keep
> >>> state
> >>> > pass in on $ext_if proto tcp from any to $int_if port = smtp
> >>> keep state
> >>> > pass in on $ext_if proto tcp from any to $int_if port = pop3
> >>> keep state
> >>> >
> >>> >
> >>> > ############################ FIM 02
> >>> >
> >>> > todas as tentativas acima foram sem sucesso
> >>> >
> >>> >
> >>> > Iran Lima
> >>> > aprendiz do openbsd
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > OpenBSD mailing list
> >>> > OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
> >>> > http://listas.openbsd-br.org/mailman/listinfo/openbsd
> >>> >
> >>> >
> >>> _______________________________________________
> >>> OpenBSD mailing list
> >>> OpenBSD em openbsd-br.org <mailto:OpenBSD em openbsd-br.org>
> >>> http://listas.openbsd-br.org/mailman/listinfo/openbsd
> >>>
> >>>
> >>>
------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> OpenBSD mailing list
> >>> OpenBSD em openbsd-br.org
> >>>
> >>> http://listas.openbsd-br.org/mailman/listinfo/openbsd
> >>>
> >>>
> >> Boa noite...
> >> Deixa eu ver se entendi...
> >>
> >> Vc quer liberar suas maquinas de sua lan para enviar e receber email´s
> >> na net?
> >>
> >>
> >> se sim, não precisa de rdr somente o nat para saida .....!
> >>
> >>
> >> Espero ter ajudado.
> >>
> >>
> >> Vagner Gonçalves (Slayer)
> >> _______________________________________________
> >> OpenBSD mailing list
> >> OpenBSD em openbsd-br.org
> >> http://listas.openbsd-br.org/mailman/listinfo/openbsd
> >>
> >>
> > _______________________________________________
> > OpenBSD mailing list
> > OpenBSD em openbsd-br.org
> > http://listas.openbsd-br.org/mailman/listinfo/openbsd
> >
> >
> >
> Para as maquinas acessarem a net vc precisa alterar somente disso ->
>
> lan="192.168.0.0/24"
>
> nat on ext_if from $lan to any -> ($ext_if)
>
> E eh sempre bom perguntar....vc abilitou o ip forwarding no
> /etc/sysctl.conf?
>
> Mas existe um exemploo perfeito para vc enternder em
> http://www.openbsd.org/faq/pf/example1.html
>
> com certeza nesse exemplo todas as suas duvidas serao sanadas..!
>
>
> Vagner Gonçalves (Slayer)
> _______________________________________________
> OpenBSD mailing list
> OpenBSD em openbsd-br.org
> http://listas.openbsd-br.org/mailman/listinfo/openbsd
>
_______________________________________________
OpenBSD mailing list
OpenBSD em openbsd-br.org
http://listas.openbsd-br.org/mailman/listinfo/openbsd
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.openbsd-br.org/pipermail/openbsd/attachments/20070617/66c69365/attachment-0001.html
-------------- Próxima Parte ----------
Um anexo não texto foi limpo...
Nome : não disponível
Tipo : image/jpeg
Tam : 1458 bytes
Descr.: não disponível
Url : http://listas.openbsd-br.org/pipermail/openbsd/attachments/20070617/66c69365/attachment-0001.jpe
-------------- Próxima Parte ----------
Um anexo não texto foi limpo...
Nome : não disponível
Tipo : image/gif
Tam : 10650 bytes
Descr.: não disponível
Url : http://listas.openbsd-br.org/pipermail/openbsd/attachments/20070617/66c69365/attachment-0001.gif
Mais detalhes sobre a lista de discussão Openbsd