Estou enviando o meu PF.CONF para que voces possam ter mais detalhes da configuracao que tenho aqui.
segue: ##### INICIO DO ARQUIVO ####################### ############################################################ ### Macros ################################################# ############################################################ internal = "vr0" wts_vpn = "rl0" external = "rl1" mpd = "ng0" local_net = "192.168.247.0/24" ip_fw_internal = "192.168.247.254" ip_fw_external = "10.1.1.2" ip_fw_wts_vpn = "202.4.143.40" nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \ 172.16.0.0/12, 0.0.0.0/8, 169.254.0.0/16, \ 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \ 255.255.255.255/32 }" table <caixa_ips> { 200.201.173.68 200.201.173.68/32 \ 200.201.166.200 200.201.166.200/32 200.201.174.207 \ 200.201.174.207/32 200.252.47.0/24 200.201.160.0/20 \ 200.201.0.0/16 200.165.60.137/32 200.242.61.4 \ 200.201.173.0/32 } #--- LOG de estatisticas de filtragem ------------------#### set block-policy drop set loginterface $external set loginterface $wts_vpn set state-policy if-bound #--- Nao filtra na interface loopback e NG0 ------------#### set skip on lo0 set skip on $mpd #--- faz scrub em pacotes que chegam -------------------#### scrub on { $external $internal $wts_vpn } all reassemble tcp ############################################################ ### NAT dos enderecos IP internos do range ### ### 192.168.247.0/24 para o endereco IP roteavel/valido ### ### da interface rl0 ### ############################################################ nat pass on $external from $local_net to any -> $external nat pass on $wts_vpn from $local_net to any -> $wts_vpn ############################################################ ### Proxy transparente ##################################### ############################################################ rdr pass on $internal inet proto tcp from $local_net to any port 3389 -> $ip_fw_wts_vpn rdr pass on $internal inet proto tcp from $local_net to !<caixa_ips> port 80 -> $ip_fw_internal port 3128 ############################################################ ### Filtragem de pacotes ################################### ############################################################ block all antispoof quick for { $internal $external $wts_vpn } inet #--- Loopback @ 127.0.0.1/8 ----------------------------#### pass out quick on lo0 all pass in quick on lo0 all #--- NG0 @ 192.168.247.1/24 ----------------------------#### pass out quick on $mpd all modulate state pass in quick on $mpd all modulate state #--- Rede Local @ 192.168.247.254/24 -------------------#### pass out quick on $internal all modulate state pass in quick on $internal all modulate state pass in quick on $internal inet proto icmp all modulate state #--- Link BrT/WTS_VPN @ 202.4.143.40/29 ----------------#### block drop out log quick on $wts_vpn from any to $nonroutable pass out quick on $wts_vpn from any to any modulate state pass in log quick on $wts_vpn inet proto tcp from 202.37.33.54 to $ip_fw_wts_vpn port 1723 flags S/SA synproxy state pass in log quick on $wts_vpn inet proto tcp from any to $ip_fw_wts_vpn port 50000 flags S/SA synproxy state block drop in log quick on $wts_vpn inet proto tcp from any to any flags FUP/FUP block drop in log quick on $wts_vpn inet proto tcp from any to any flags SF/SFRA block drop in log quick on $wts_vpn inet proto tcp from any to any flags /SFRA block drop in quick on $wts_vpn proto tcp from any to any port = 113 block drop in log quick on $wts_vpn inet proto icmp from any to any icmp-type redir block drop in log quick on $wts_vpn from $nonroutable to any block drop in log quick on $wts_vpn all block return #--- Link BrT/ADSL @ 10.1.1.2/8 -------------------------#### block drop out log quick on $external from any to $nonroutable pass out quick on $external from any to any modulate state pass in log quick on $external inet proto tcp from any to $ip_fw_external port 50000 flags S/SA synproxy state block drop in log quick on $external inet proto tcp from any to any flags FUP/FUP block drop in log quick on $external inet proto tcp from any to any flags SF/SFRA block drop in log quick on $external inet proto tcp from any to any flags /SFRA block drop in quick on $external proto tcp from any to any port = 113 block drop in log quick on $external inet proto icmp from any to any icmp-type redir block drop in log quick on $external from $nonroutable to any block drop in log quick on $external all block return #### FINAL DO ARQUIVO ############# Em 25/07/07, Welkson Renny de Medeiros<[EMAIL PROTECTED]> escreveu: > Cleyton, é um belo chute... mas lá vai... comigo também aconteceu isso... se > não me engano foi até o "irado" me deu umas dicas e consegui resolver... nas > minhas regras tinha referência a alguns "domínios", e como o bsd ainda > estava startando não conseguia resolver o domínio e não carregava nada... > (tipo: block in on $int_if from any to globo.com)... não sei se o mesmo erro > serve para nomes de pcs cadastrados no arquivo /etc/hosts... só sugestão! no > flames!! :-) > > > -- > Welkson Renny de Medeiros > Focus Automação Comercial > Desenvolvimento / Gerência de Redes > [EMAIL PROTECTED] > > > > Powered by .... > > (__) > \\\'',) > \/ \ ^ > .\._/_) > > www.FreeBSD.org > > ----- Original Message ----- > From: "Cleyton Bertolim" <[EMAIL PROTECTED]> > To: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)" > <freebsd@fug.com.br> > Sent: Wednesday, July 25, 2007 2:29 PM > Subject: [FUG-BR] parece que o pf nao le as regras! > > > Boa tarde BSD's!!!!! > > Seguinte, tenho um servidor com FreeBSD-6.2-Stable, rodando o MPD como > servidor de VPN na porta 1723, e com PF como firewall. As regras do pf > estao funcionando perfeitamente! > > Quando ligo este servidor, ele carrega a VPN, o PF inicia sem nenhuma > mensagem de erro, eu me conecto ao servidor de VPN remotamente, mas > quando dou um PING do meu micro pra dentro da rede VPN, nao consigo > resposta alguma, e tambem quando tento acessar algum compartilhamento > pela VPN, tambem nao da. É como se a rede estivesse desconectada!!! > Mas, se entro no servidor de VPN por SSH e digito: pfctl -f > /etc/pf.conf, ele comeca a funcionar tudo normalmente..... consigo > pingar as maquinas dentro da VPN e tambem acessar seus > compartilhamentos!!!! > > Parece que so funciona as coisas depois de executar o comando pfctl -f > /etc/pf.conf !!!!! > > Como dentro do arquivo /etc/rc.conf tem as instrucoes pra iniciar o pf > e tambem o arquivo de regras pf.conf, ele esta lendo as regras, mas > nesse caso da VPN, parece que mesmo com a vpn conectada, tenho que dar > o comando pra reler as regras do PF. > > Alguem ja passou por isso?? > O que fazer?? > > Desde ja meus agradecimentos! > > Cleyton Bertolim. > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd