Ola,
sou usuario de openBSD há muitos anos.
Sempre utilizei para firewall.
Recebi uma maquina de uma outra área da minha empresa para eu usar como
firewall só que o openbsd nao é compativel com ela. ( maldita controladora
Adaptec).
Para resolver este problema, resolvi instalar o FreeBSD nesta maquina q é uma
IBM x3550.
Habilitei o pf no rc.conf e recompilei o kernel para usar o altq futuramente.
Já consegui compartilhar a internet para minha rede local, o problema é que nao
consegui rotear / liberar o acesso a rede 10.100.0.0 ( minha rede mpls) para a
rede local.
Só que nao consigo pingar nem acessar esta maquina 10.100.0.5 dos clientes que
estao usando o freebsd como gateway.
Só para constar: estou achando o freebsd bem mas rapido do que o openbsd.
Segue abaixo os arquivos de conf utilizados.
FW2# cat rc.conf
# -- sysinstall generated deltas -- # Fri Oct 31 08:57:07 2008
# Created: Fri Oct 31 08:57:07 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
ken_securelevel="1"
kern_securelevel_enable="YES"
pf_enable="YES"
defaultrouter="189.xxx.xxx.xxx"
gateway_enable="YES"
hostname="FW2.CMT"
ifconfig_bce0="inet 189.xxx.xxx.3 netmask 255.255.255.248"
ifconfig_bce1="inet 10.10.100.252 netmask 255.255.0.0"
inetd_enable="YES"
keymap="br275.cp850"
linux_enable="YES"
sshd_enable="YES"
FW2#
FW2# cat rc.local
#alias
ifconfig bce1 alias 10.100.1.4 netmask 255.255.255.192 up
#rotas
route add 10.100.0.0/24 10.100.1.1
FW2#
FW2# cat pf.conf
# variaveis
ext_if = "bce0"
int_if = "bce1"
cmt_lan = "10.10.0.0/24"
cmt_lan_ti = "10.10.20.0/24"
cmt_lan_callcenter = "10.10.60.0/24"
rede_mpls = " 10.100.0.0/24 "
tcp_out_ports = "{ 53, 80, 443 }"
# run time options
scrub in all
# nat
nat on $ext_if from $cmt_lan to any port $tcp_out_ports tag CMT_LAN -> ($ext_if)
nat on $ext_if from $cmt_lan_ti to any tag CMT_LAN_TI -> ($ext_if)
nat on $ext_if from $cmt_lan_callcenter port $tcp_out_ports to any tag
CMT_LAN_CALLCENTER -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $cmt_lan_ti to any port 21 -> \
127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from any to any port 21
pass in on $int_if from any to any modulate state
pass out on $int_if from any to any modulate state
pass out on $ext_if from $ext_if to any modulate state
FW2#
FW2# ping 10.100.0.5
PING 10.100.0.5 (10.100.0.5): 56 data bytes
64 bytes from 10.100.0.5: icmp_seq=0 ttl=126 time=5.250 ms
64 bytes from 10.100.0.5: icmp_seq=1 ttl=126 time=8.325 ms
64 bytes from 10.100.0.5: icmp_seq=2 ttl=126 time=6.169 ms
64 bytes from 10.100.0.5: icmp_seq=3 ttl=126 time=8.943 ms
^C
--- 10.100.0.5 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.250/7.172/8.943/1.514 ms
#
FW2# nc -v 10.100.0.5 80
Connection to 10.100.0.5 80 port [tcp/http] succeeded!
^C
FW2#
FW2# cat sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.ip.random_id=1
net.inet.ip.fastforwarding=1
net.inet.ip.process_options=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2 # blackhole pings, traceroutes, etc.
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.fallback_elf_brand=3
kern.polling.enable=1 # network interface pooling instead interrupt request
kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM
# and prevent it from being paged out to swap
kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1
FW2#
FW2# cat /root/dmesg.txt
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (1995.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x10676 Stepping = 6
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0xce33d<SSE3,RSVD2,MON,DS_CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,<b19>>
AMD Features=0x20000000<LM>
AMD Features2=0x1<LAHF>
Cores per package: 4
real memory = 3220992000 (3071 MB)
avail memory = 3146506240 (3000 MB)
ACPI APIC Table: <IBM SERDEFNT>
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
cpu2 (AP): APIC ID: 2
cpu3 (AP): APIC ID: 3
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
hptrr: HPT RocketRAID controller driver v1.1 (Feb 24 2008 19:59:27)
acpi0: <IBM SERDEFNT> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x588-0x58b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
cpu0: <ACPI CPU> on acpi0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
cpu1: <ACPI CPU> on acpi0
p4tcc1: <CPU Frequency Thermal Control> on cpu1
cpu2: <ACPI CPU> on acpi0
p4tcc2: <CPU Frequency Thermal Control> on cpu2
cpu3: <ACPI CPU> on acpi0
p4tcc3: <CPU Frequency Thermal Control> on cpu3
pcib0: <ACPI Host-PCI bridge> on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci16: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 0.0 on pci16
pci17: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 0.0 on pci17
pci19: <ACPI PCI bus> on pcib3
pcib4: <ACPI PCI-PCI bridge> at device 1.0 on pci17
pci18: <ACPI PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> at device 0.3 on pci16
pci20: <ACPI PCI bus> on pcib5
pcib6: <PCI-PCI bridge> at device 3.0 on pci0
pci35: <PCI bus> on pcib6
pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pcib8: <PCI-PCI bridge> at device 5.0 on pci0
pci34: <PCI bus> on pcib8
pcib9: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci3: <ACPI PCI bus> on pcib9
pcib10: <PCI-PCI bridge> at device 0.0 on pci3
pci4: <PCI bus> on pcib10
bce0: <Broadcom NetXtreme II BCM5708 1000Base-T (B2)> mem 0xc8000000-0xc9ffffff
irq 18 at device 0.0 on pci4
miibus0: <MII bus> on bce0
brgphy0: <BCM5708C 10/100/1000baseTX PHY> PHY 1 on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT,
1000baseT-FDX, auto
bce0: Ethernet address: 00:1a:64:79:f1:58
bce0: [ITHREAD]
bce0: ASIC (0x57081020); Rev (B2); Bus (PCI-X, 64-bit, 133MHz); F/W
(0x04000305); Flags( MFW MSI )
pcib11: <ACPI PCI-PCI bridge> at device 7.0 on pci0
pci2: <ACPI PCI bus> on pcib11
aac0: <IBM ServeRAID-8k> port 0x4000-0x40ff mem
0xcce00000-0xccffffff,0xcafe0000-0xcaffffff irq 17 at device 0.0 on pci2
aac0: New comm. interface enabled
aac0: [ITHREAD]
aac0: ServeRAID 8k-l , aac driver 2.0.0-1
pci0: <base peripheral> at device 8.0 (no driver attached)
pcib12: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci5: <ACPI PCI bus> on pcib12
pcib13: <PCI-PCI bridge> at device 0.0 on pci5
pci6: <PCI bus> on pcib13
bce1: <Broadcom NetXtreme II BCM5708 1000Base-T (B2)> mem 0xce000000-0xcfffffff
irq 16 at device 0.0 on pci6
miibus1: <MII bus> on bce1
brgphy1: <BCM5708C 10/100/1000baseTX PHY> PHY 1 on miibus1
brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT,
1000baseT-FDX, auto
bce1: Ethernet address: 00:1a:64:79:f1:5a
bce1: [ITHREAD]
bce1: ASIC (0x57081020); Rev (B2); Bus (PCI-X, 64-bit, 133MHz); F/W
(0x04000305); Flags( MFW MSI )
uhci0: <Intel 631XESB/632XESB/3100 USB controller USB-1> port 0x2200-0x221f irq
23 at device 29.0 on pci0
uhci0: [GIANT-LOCKED]
uhci0: [ITHREAD]
usb0: <Intel 631XESB/632XESB/3100 USB controller USB-1> on uhci0
usb0: USB revision 1.0
uhub0: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 631XESB/632XESB/3100 USB controller USB-2> port 0x2600-0x261f irq
22 at device 29.1 on pci0
uhci1: [GIANT-LOCKED]
uhci1: [ITHREAD]
usb1: <Intel 631XESB/632XESB/3100 USB controller USB-2> on uhci1
usb1: USB revision 1.0
uhub1: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 631XESB/632XESB/3100 USB controller USB-3> port 0x2a00-0x2a1f irq
23 at device 29.2 on pci0
uhci2: [GIANT-LOCKED]
uhci2: [ITHREAD]
usb2: <Intel 631XESB/632XESB/3100 USB controller USB-3> on uhci2
usb2: USB revision 1.0
uhub2: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb2
uhub2: 2 ports with 2 removable, self powered
ehci0: <Intel 63XXESB USB 2.0 controller> mem 0xf9000000-0xf90003ff irq 23 at
device 29.7 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 63XXESB USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered
pcib14: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci1: <ACPI PCI bus> on pcib14
vgapci0: <VGA-compatible display> port 0x3000-0x30ff mem
0xd0000000-0xd7ffffff,0xdfff0000-0xdfffffff irq 22 at device 1.0 on pci1
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 63XXESB2 UDMA100 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x480-0x48f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
ata1: <ATA channel 1> on atapci0
ata1: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio0: [FILTER]
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem
0xc0000-0xcafff,0xcb000-0xcc7ff,0xcc800-0xcdfff,0xce000-0xd2fff pnpid ORM0000
on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhub4: <Silitek IBM USB HUB KEYBOARD, class 9/0, rev 1.10/1.00, addr 2> on uhub0
uhub4: 3 ports with 2 removable, bus powered
ukbd0: <Silitek IBM USB HUB KEYBOARD, class 0/0, rev 1.10/1.00, addr 3> on uhub4
kbd2 at ukbd0
Timecounters tick every 1.000 msec
hptrr: no controller detected.
acd0: CDRW <HL-DT-STCD-RW/DVD DRIVE GCC-T10N/1.00> at ata0-master UDMA33
aacd0: <RAID 0 (Stripe)> on aac0
aacd0: 279788MB (573005824 sectors)
SMP: AP CPU #1 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
Trying to mount root from ufs:/dev/aacd0s1a
bce0: link state changed to UP
bce1: link state changed to UP
uhub4: at uhub0 port 2 (addr 2) disconnected
ukbd0: at uhub4 port 1 (addr 3) disconnected
ukbd0: detached
uhub4: detached
FW2#
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
