[OpenBSD-BR] RES: RES: Problema com Load Balance.
Luciano M. Mercucci
lmercucci em hotmail.com
Quinta Novembro 1 00:30:20 BRST 2007
A única coisa que vejo errada, seria a configuração da sua rede. Pela
mascara que está usando, na r2 e na r3.
Pelos meus cálculos:
IP
76.248.141.130
Rede
76.248.141.128
Gateway
76.248.141.129
Broadcast
76.248.141.135
A r2 estaria correta.
Porem a r3 está com o ip de broadcast da r2. A próxima rede possível para
essa mascara seria rede 76.248.141.136 ips de x.x.x.137 à x.x.x.142 e
broadcast x.x.x.144.
Se não reiniciou a maquina depois de ter alterado no arquivo
/etc/sysctl.conf
Pode rodar as duas linhas na mão.
# sysctl net.inet.ip.multipath=1
# sysctl net.inet6.ip6.multipath=1
Uma idéia seria testar o balanceamento com dois links. A .r1 e .r2.
No meu firewall criei scrips para cada link e para cada 2 links e para os 3
juntos assim caso algum caia posso alterar para qualquer link.
Script link3x.sh
----------------inicio-----------------------
route delete default 201.x.x.1
route delete default 200.x.x.1
route delete default 189.x.x.1
route add -mpath default 189.x.x.1
route add -mpath default 201.x.x.1
route add -mpath default 200.x.x.1
pfctl -f /etc/pf3x.conf
--------------fim-------------------
Pf3x.conf
---------------- Inicio--------------------
#***& LINKS INTERNOS &***#
# Rede - 1
lan_net1 = "192.168.1.0/24"
int_if1 = "rl0"
int_gw1 = "192.168.1.1"
# Rede - 2
lan_net2 = "192.168.2.0/24"
int_if2 = "rl1"
int_gw2 = "192.168.2.1"
#***& LINKS INTERNET &***#
#Virtua 600Kbps
ext_if1 = "ste0"
ext_gw1 = "200.x.x.1"
ext_ip1 = "200.x.x.200"
#Speed
ext_if2 = "xl0"
ext_gw2 = "189.x.x.1"
ext_ip2 = "189.x.x.200"
#Virtua 1Mbps
ext_if3 = "fxp0"
ext_gw3 = "201.x.x.1"
ext_ip3 = "201.x.x.200"
#***& Variaves de Servidores &***#
# App
SRV_RS_WEB2 = "192.168.1.15"
SRV_RS_WEB1 = "192.168.1.16"
SRV_RS_MAIL = "192.168.1.15"
# Game
SRV_SYSSUB = "192.168.1.16"
SRV_COUNTS = "192.168.1.11"
SRV_CS_UDP = "{ 1200, 27000, 27001, 27002, 27003, 27004, 27005, 27006,
27007, 27008, 27009, 27010, 27011, 27012, 27013, 27014, 27015, 27020 }"
SRV_CS_TCP = "{ 5273, 27015, 7002, 27030, 27031, 27032, 27033, 27034, 27035,
27036, 27037, 27038, 27039, 27040 }"
SRV_EMULET = "{ 38154 }"
SRV_EMULEU = "{ 38164 }"
IPGERE = "{ 201.x.x.x , 200.x.x.x , 200.x.x.x }"
set skip on lo0
set optimization high-latency
# Rede LAN1 <--> LAN2
nat on $int_if1 from any to $lan_net1 -> $int_if1
nat on $int_if2 from any to $lan_net2 -> $int_if2
# Redes Internas pra INTERNET
nat on $ext_if1 from { $lan_net1 , $lan_net2 } to any -> ($ext_if1)
nat on $ext_if2 from { $lan_net1 , $lan_net2 } to any -> ($ext_if2)
nat on $ext_if3 from { $lan_net1 , $lan_net2 } to any -> ($ext_if3)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if1 proto tcp to port ftp -> 192.168.1.1 port 8021
rdr pass on $int_if2 proto tcp to port ftp -> 192.168.2.1 port 8021
rdr pass on $int_if1 proto tcp to port 80 -> 192.168.1.1 port 3128
rdr pass on $int_if2 proto tcp to port 80 -> 192.168.2.1 port 3128
rdr on $ext_if1 proto udp from any to any port $SRV_CS_UDP-> $SRV_COUNTS
rdr on $ext_if1 proto tcp from any to any port $SRV_CS_TCP-> $SRV_COUNTS
rdr on $ext_if2 proto udp from any to any port $SRV_CS_UDP-> $SRV_COUNTS
rdr on $ext_if2 proto tcp from any to any port $SRV_CS_TCP-> $SRV_COUNTS
rdr on $ext_if3 proto udp from any to any port $SRV_CS_UDP-> $SRV_COUNTS
rdr on $ext_if3 proto tcp from any to any port $SRV_CS_TCP-> $SRV_COUNTS
#Libera tudo Lan1 - Lan2
pass in quick on $int_if1 from $lan_net1 to any keep state
pass in quick on $int_if2 from $lan_net2 to any keep state
# CS
pass in quick on $ext_if1 inet proto tcp from any to any port $SRV_CS_TCP
flags S/SA synproxy state
pass in quick on $ext_if1 inet proto udp from any to any port $SRV_CS_UDP
synproxy state
pass in quick on $ext_if2 inet proto tcp from any to any port $SRV_CS_TCP
flags S/SA synproxy state
pass in quick on $ext_if2 inet proto udp from any to any port $SRV_CS_UDP
synproxy state
pass in quick on $ext_if3 inet proto tcp from any to any port $SRV_CS_TCP
flags S/SA synproxy state
pass in quick on $ext_if3 inet proto udp from any to any port $SRV_CS_UDP
synproxy state
#SSH
pass in quick on $ext_if1 proto tcp from $IPGERE to $ext_ip1 port 22 keep
state
pass in quick on $ext_if2 proto tcp from $IPGERE to $ext_ip2 port 22 keep
state
pass in quick on $ext_if3 proto tcp from $IPGERE to $ext_ip3 port 22 keep
state
# aceita (quick) quaisquer pacotes destinados ao próprio gateway
pass in quick on $int_if1 from $lan_net1 to $int_if1
pass in quick on $int_if2 from $lan_net2 to $int_if2
# Faz balanceamento de carga no tráfego da rede interna.
anchor "ftp-proxy/*"
# HTTPS – Bradesco principalmente da Problema, pois muda de IP no destino.
pass in quick on $int_if1 route-to { ($ext_if1 $ext_gw1) } round-robin proto
tcp from $lan_net1 to any port 443 flags S/SA modulate state
pass in quick on $int_if2 route-to { ($ext_if1 $ext_gw1) } round-robin proto
tcp from $lan_net2 to any port 443 flags S/SA modulate state
# Restante do Trafego
pass in on $int_if1 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from any to any flags S/SA
modulate state
pass in on $int_if2 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto tcp from any to any flags S/SA
modulate state
# balanceamento de carga em pacotes udp e icmp vindos da rede interna
pass in on $int_if1 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto { udp, icmp } from any to any keep
state
pass in on $int_if2 route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2),
($ext_if3 $ext_gw3) } round-robin proto { udp, icmp } from any to any keep
state
# regras gerais "pass out" para as interfaces externas
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state
# roteia pacotes de qualquer IP na $ext_if1 para $ext_gw1 e o mesmo para
# $ext_if2 e $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
block in
#block out
---------------------Fim----------------------
Caso queira o script para 2 links:
Script link2x.sh
---------------Inicio-----------------
route delete default 201.x.x.1
route delete default 200.x.x.1
route delete default 189.x.x.1
route add -mpath default 189.x.x.1
route add -mpath default 201.x.x.1
pfctl -f /etc/pf2x.conf
----------------Fim------------------
Pf2x.conf
---------------Inicio-----------------
#***& LINKS INTERNOS &***#
# Rede 1
lan_net1 = "192.168.1.0/24"
int_if1 = "rl0"
int_gw1 = "192.168.1.1"
# Rede 2
lan_net2 = "192.168.2.1/24"
int_if2 = "rl1"
int_gw2 = "192.168.2.1"
#***& LINKS INTERNET &***#
#Speed
ext_if2 = "xl0"
ext_gw2 = "189.x.x.1"
ext_ip2 = "189.x.x.200"
#Virtua 1Mbps
ext_if3 = "fxp0"
ext_gw3 = "201.x.x.1"
ext_ip3 = "201.x.x.200"
#***& Variaves de Servidores &***#
# LAN
SRV_RS_WEB2 = "192.168.2.15"
SRV_RS_WEB1 = "192.168.2.16"
SRV_RS_MAIL = "192.168.2.15"
# DMZ
SRV_SYSSUB = "192.168.2.16"
SRV_COUNTS = "192.168.2.11"
SRV_CS_UDP = "{ 1200, 27000, 27001, 27002, 27003, 27004, 27005, 27006,
27007, 27008, 27009, 27010, 27011, 27012, 27013, 27014, 27015, 27020 }"
SRV_CS_TCP = "{ 5273, 27015, 7002, 27030, 27031, 27032, 27033, 27034, 27035,
27036, 27037, 27038, 27039, 27040 }"
SRV_EMULET = "{ 38154 }"
SRV_EMULEU = "{ 38164 }"
IPGERE = "{ 201.x.x.x , 200.x.x.x , 200.x.x.x }"
set skip on lo0
set optimization high-latency
# Rede LAN 1<--> LAN 2#
nat on $int_if1 from any to $lan_net1 -> $int_if1
nat on $int_if2 from any to $lan_net2 -> $int_if2
# Redes Internas pra INTERNET
nat on $ext_if2 from { $lan_net1 , $lan_net2 } to any -> ($ext_if2)
nat on $ext_if3 from { $lan_net1 , $lan_net2 } to any -> ($ext_if3)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if1 proto tcp to port ftp -> 192.168.1.1 port 8021
rdr pass on $int_if2 proto tcp to port ftp -> 192.168.2.1 port 8021
rdr pass on $int_if1 proto tcp to port 80 -> 192.168.1.1 port 3128
rdr pass on $int_if2 proto tcp to port 80 -> 192.168.2.1 port 3128
rdr on $ext_if2 proto udp from any to any port $SRV_CS_UDP-> $SRV_COUNTS
rdr on $ext_if2 proto tcp from any to any port $SRV_CS_TCP-> $SRV_COUNTS
rdr on $ext_if3 proto udp from any to any port $SRV_CS_UDP-> $SRV_COUNTS
rdr on $ext_if3 proto tcp from any to any port $SRV_CS_TCP-> $SRV_COUNTS
#Libera tudo Lan 1 <--> Lan 2
pass in quick on $int_if1 from $lan_net1 to any keep state
pass in quick on $int_if2 from $lan_net2 to any keep state
# CS SUB
pass in quick on $ext_if2 inet proto tcp from any to any port $SRV_CS_TCP
flags S/SA synproxy state
pass in quick on $ext_if2 inet proto udp from any to any port $SRV_CS_UDP
synproxy state
pass in quick on $ext_if3 inet proto tcp from any to any port $SRV_CS_TCP
flags S/SA synproxy state
pass in quick on $ext_if3 inet proto udp from any to any port $SRV_CS_UDP
synproxy state
#SSH
pass in quick on $ext_if2 proto tcp from $IPGERE to $ext_ip2 port 22 keep
state
pass in quick on $ext_if3 proto tcp from $IPGERE to $ext_ip3 port 22 keep
state
# aceita (quick) quaisquer pacotes destinados ao próprio gateway
pass in quick on $int_if1 from $lan_net1 to $int_if1
pass in quick on $int_if2 from $lan_net2 to $int_if2
# Faz balanceamento de carga no tráfego da rede interna.
anchor "ftp-proxy/*"
# HTTPS
pass in quick on $int_if1 route-to { ($ext_if2 $ext_gw2) } round-robin proto
tcp from $lan_net1 to any port 443 flags S/SA modulate state
pass in quick on $int_if2 route-to { ($ext_if2 $ext_gw2) } round-robin proto
tcp from $lan_net2 to any port 443 flags S/SA modulate state
# Restante do Trafego
pass in on $int_if1 route-to { ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) }
round-robin proto tcp from any to any flags S/SA modulate state
pass in on $int_if2 route-to { ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) }
round-robin proto tcp from any to any flags S/SA modulate state
# balanceamento de carga em pacotes udp e icmp vindos da rede interna
pass in on $int_if1 route-to { ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) }
round-robin proto { udp, icmp } from any to any keep state
pass in on $int_if2 route-to { ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3) }
round-robin proto { udp, icmp } from any to any keep state
# regras gerais "pass out" para as interfaces externas
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
pass out on $ext_if3 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if3 proto { udp, icmp } from any to any keep state
# roteia pacotes de qualquer IP na $ext_if1 para $ext_gw1 e o mesmo para
# $ext_if2 e $ext_gw2
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
block in
#block out
----------------Fim------------------
Bem isso é o que eu uso. Se alguém tiver alguma sugestão sobre meus scripts,
seria bom.
Ainda quero colocar o QoS e Carp. Mais quando tiver mais tempo, mais já
estou estudando para isso.
Luciano
De: openbsd-bounces em openbsd-br.org [mailto:openbsd-bounces em openbsd-br.org]
Em nome de Luis Gatti
Enviada em: quarta-feira, 31 de outubro de 2007 20:21
Para: 'OpenBSD-BR'
Assunto: Re: [OpenBSD-BR] RES: Problema com Load Balance.
Ola
Segui as sugestoes abaixo porem continuo com o mesmo problema, todo o meu
trafego continua saindo apenas por um gateway.
As alteracoes feitas foram as seguintes :
Linhas adicionadas ao pf.conf:
# roteia pacotes de qualquer IP na $ext_if1 para $ext_gw1 e o mesmo para
# $ext_if2 e $ext_gw2
pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 to any
pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 to any
pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1 to any
pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 to any
pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1 to any
pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 to any
/etc/mygate em branco
Alteracao em :
/etc/hostname.re1
inet 68.74.34.125 255.255.255.248 NONE
!route add –mpath default 68.74.34.124
/etc/hostname.re2
inet 76.248.141.130 255.255.255.248 NONE
!route add –mpath default 76.248.141.129
/etc/hostname.re3
inet 76.248.141.135 255.255.255.248 NONE
!route add –mpath default 76.248.141.134
Alteracao em :
/etc/sysctl.conf
net.inet.ip.multipath=1 # 1=Enable Multipath for IPs
net.inet6.ip6.multipath # 1=Enable Multipath for IPs v.6
# route -n show |grep default
default 68.74.34.124 UGS 0 12648 - re1
default 76.248.141.129 UGS 0 0 - re2
default 76.248.141.134 UGS 0 0 - re3
tcpdump –i = trafego somente na interface re0
traceroute –n <http://www.xxx.xxx> www.xxx.xxx saida sempre pelo gateway
68.74.34.124
Obrigado
Luis Gatti
From: openbsd-bounces em openbsd-br.org [mailto:openbsd-bounces em openbsd-br.org]
On Behalf Of Luciano M. Mercucci
Sent: Sunday, October 28, 2007 5:42 PM
To: 'OpenBSD-BR'
Subject: [OpenBSD-BR] RES: Problema com Load Balance.
Olá,
Para essa configuração existem dois porem, uma seria a rota,
no caso você tem 3 default gateways, ouvi falar de configurar os router
speed/virtua para conversar com o openbsd por protocolo de roteamento, mais
nunca testei. Outra forma seira usar o mpath, para essa configuração deve
deixar o /etc/mygate em branco. E usar algum script na inicialização com as
linhas de routeamento. Ex.:
route add -mpath default 189.x.x.1
route add -mpath default 201.x.x.1
route add -mpath default 200.x.x.1
pode fazer isse dar boot na maquina mais se tiver remoto por um dos links,
vai perder a conexão.
Apagar o router default
# route delete default
# route add -mpath default 189.x.x.1
# route add -mpath default 201.x.x.1
# route add -mpath default 200.x.x.1
# route –n show |grep default
Deve aparecer os 3 como default:
# route -n show |grep default
Destination Gateway Flags Refs Use Mtu
Interface
default 189.x.x.1 UGS 0 83108
- xl0
default 201.x.x.1 UGS 1 67014
- ste0
default 200.x.x.1 UGS 1 68148
- fxp0
Outra coisa que faltou no seu script e que pode deixar a navegação bem
lenta, e quase que nula é definir o rota de cada ip com sua interface, essa
configuração iria no fim do seu script:
# roteia pacotes de qualquer IP na $ext_if1 para $ext_gw1 e o mesmo para
# $ext_if2 e $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any
pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
De: openbsd-bounces em openbsd-br.org [mailto:openbsd-bounces em openbsd-br.org]
Em nome de Luis Gatti
Enviada em: segunda-feira, 15 de outubro de 2007 23:41
Para: openbsd em openbsd-br.org
Assunto: [OpenBSD-BR] Problema com Load Balance.
Saudações amigos,
Estou tendo problemas na configuração do meu servidor para utilizar load
balance e fail safe.
Minha configuração é a seguinte:
3 conexões DSL 3 Mbs
/etc/mygate
68.74.34.124
/etc/hostname.re0
inet 10.25.1.2 255.255.255.0 NONE
/etc/hostname.re1
inet 68.74.34.125 255.255.255.248 NONE
/etc/hostname.re2
inet 76.248.141.130 255.255.255.248 NONE
/etc/hostname.re3
inet 76.248.141.135 255.255.255.248 NONE
Minha primeira tentativa foi utilizar o round-robin no pf.conf o pf.conf
carrega porem apenas a interface re1 que sai pelo gateway que foi
especificado no mygate recebe trafego, que pode ser verificado pelo tcpdump
-i re1..3
Em um outro grupo de discussão me foi sugerido o uso de trunks mais não
encontrei nenhuma documentação a respeito.
Qualquer ajuda é bem vinda.
Segue a copia do pf.conf
# macros
int_if = "re0"
ext_if_1 = "re1"
ext_if_2 = "re2"
ext_if_3 = "re3"
ext_gw_1 = "68.74.34.124"
ext_gw_2 = "76.248.141.129"
ext_gw_3 = "76.248.141.134"
dmz_if = ""
vpn_if = ""
loop = "lo0"
# blocked Attack
blocked = "{ 207.46.1.3/32 }"
# ports
tcp_services = "{ 20, 21, 50, 80, 222, 443, 500 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12 }"
# redirect Computer
comp1 = ""
# options
set block-policy return
set loginterface $ext_if_1
set loginterface $ext_if_2
set loginterface $ext_if_3
set optimization normal
set skip on $loop
# scrub
scrub in all
# nat
nat on $ext_if_1 from $int_if:network to any -> ($ext_if_1) static-port
nat on $ext_if_2 from $int_if:network to any -> ($ext_if_2) static-port
nat on $ext_if_3 from $int_if:network to any -> ($ext_if_3) static-port
# Proxy
#rdr pass on $int_if proto tcp to port http -> 127.0.0.1 port 3128
rdr pass on $int_if proto tcp to !10.25.1.2/32 port http -> 127.0.0.1 port
3128 round-robin sticky-address
# filter rules
block in log on $ext_if_1 all
block in log on $ext_if_2 all
block in log on $ext_if_3 all
block out log on $ext_if_1 all
block out log on $ext_if_2 all
block out log on $ext_if_3 all
# loopback
pass quick on lo0 all
pass in on $ext_if_1 inet proto icmp from any to $ext_if_1 icmp-type
$icmp_types keep state
pass in on $ext_if_2 inet proto icmp from any to $ext_if_2 icmp-type
$icmp_types keep state
pass in on $ext_if_3 inet proto icmp from any to $ext_if_3 icmp-type
$icmp_types keep state
# Block
block drop in quick on $ext_if_1 from $priv_nets to any
block drop in quick on $ext_if_2 from $priv_nets to any
block drop in quick on $ext_if_3 from $priv_nets to any
block drop in quick on $ext_if_1 from $blocked to any
block drop in quick on $ext_if_2 from $blocked to any
block drop in quick on $ext_if_3 from $blocked to any
block drop out quick on $ext_if_1 from any to $priv_nets
block drop out quick on $ext_if_2 from any to $priv_nets
block drop out quick on $ext_if_3 from any to $priv_nets
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3
$ext_gw_3) } round-robin \
proto tcp from $int_if:network to any flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if_1 $ext_gw_1), ($ext_if_2 $ext_gw_2), ($ext_if_3
$ext_gw_3) } round-robin \
proto { udp, icmp } from $int_if:network to any keep state
# general "pass out" rules for external interfaces
pass in on $ext_if_1 inet proto tcp from any to ($ext_if_1) port
$tcp_services flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from any to ($ext_if_2) port
$tcp_services flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from any to ($ext_if_3) port
$tcp_services flags S/SA keep state
pass in on $ext_if_1 inet proto udp from any to ($ext_if_1) port 4500 keep
state
pass in on $ext_if_2 inet proto udp from any to ($ext_if_2) port 4500 keep
state
pass in on $ext_if_3 inet proto udp from any to ($ext_if_3) port 4500 keep
state
pass in on $ext_if_1 inet proto tcp from port 20 to ($ext_if_1) user proxy
flags S/SA keep state
pass in on $ext_if_2 inet proto tcp from port 20 to ($ext_if_2) user proxy
flags S/SA keep state
pass in on $ext_if_3 inet proto tcp from port 20 to ($ext_if_3) user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if_1 proto tcp all modulate state flags S/SA
pass out on $ext_if_2 proto tcp all modulate state flags S/SA
pass out on $ext_if_3 proto tcp all modulate state flags S/SA
pass out on $ext_if_1 proto { udp, icmp } all keep state
pass out on $ext_if_2 proto { udp, icmp } all keep state
pass out on $ext_if_3 proto { udp, icmp } all keep state
# VPN
pass in quick on $ext_if_1 proto esp from any to any
pass in quick on $ext_if_2 proto esp from any to any
pass in quick on $ext_if_3 proto esp from any to any
pass out quick on $ext_if_1 proto esp from any to any
pass out quick on $ext_if_2 proto esp from any to any
pass out quick on $ext_if_3 proto esp from any to any
pass in quick on enc0 proto ipencap all
pass in quick on enc0 from any to any
pass out quick on enc0 from any to any
pass in quick on $ext_if_1 proto udp from any to any port isakmp
pass in quick on $ext_if_2 proto udp from any to any port isakmp
pass in quick on $ext_if_3 proto udp from any to any port isakmp
pass out quick on $ext_if_1 proto udp from any to any port isakmp
pass out quick on $ext_if_2 proto udp from any to any port isakmp
pass out quick on $ext_if_3 proto udp from any to any port isakmp
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.openbsd-br.org/pipermail/openbsd/attachments/20071031/d0e60f09/attachment-0001.html
Mais detalhes sobre a lista de discussão OpenBSD