2009/8/27 Hitch Cock <net.hitch....@gmail.com> > Pessoal, > > to montando um firewall com ipfw + pf e vou usar o ipfw para fazer o > controle de banda das estações e o pf para os filtros e nat. > > A parte pf está funcionando perfeitamente porém o ipfw quando ativado está > bloqueando toda estação que tenta atravessar o gw mesmo eu usando default > accept. > > Segue minhas configurações. > > firewall# uname -a > FreeBSD firewall.exam.br 7.2-STABLE FreeBSD 7.2-STABLE #1: Tue Aug 4 > 19:16:54 BRT 2009 > r...@firewall.exam.br:/usr/obj/usr/src/sys/GENERICwithPFandIPFW > i386 > > firewall# cat /etc/ipfw.conf > #!/bin/sh > > fwcmd="/sbin/ipfw" > > ${fwcmd} -f flush > ${fwcmd} -f pipe flush > > ${fwcmd} pipe 1 config bw 64Kbit/s queue 5Kbytes mask all > ${fwcmd} pipe 2 config bw 128Kbit/s queue 10Kbytes mask all > ${fwcmd} pipe 3 config bw 256Kbit/s queue 25Kbytes mask all > ${fwcmd} pipe 4 config bw 512Kbit/s queue 50Kbytes mask all > ${fwcmd} pipe 5 config bw 1024Kbit/s queue 100Kbytes mask all > ${fwcmd} pipe 6 config bw 0Mbit/s > > ${fwcmd} add 1 pass all from any to any via lo0 > ${fwcmd} add 2 deny all from any to 127.0.0.0/8 > ${fwcmd} add 3 deny ip from 127.0.0.0/8 to any > > ${fwcmd} add 5 pipe 6 all from 10.0.0.0/16 to 200.xxx.xxx.xxx/26 > ${fwcmd} add 6 pipe 6 all from 200.xxx.xxx.xxx/26 to 10.0.0.0/16 > > ${fwcmd} add 7 pipe 6 all from 10.0.0.0/16 to 201.xxx.xxx.xxx/27 > ${fwcmd} add 8 pipe 6 all from 201.xxx.xxx.xxx/27 to 10.0.0.0/16 > > ${fwcmd} add 9 pipe 6 all from 10.0.0.0/16 to 189.xxx.xxx.xxx/27 > ${fwcmd} add 10 pipe 6 all from 189.xxx.xxx.xxx/27 to 10.0.0.0/16 > > ${fwcmd} add 11 pipe 6 all from 10.0.0.0/16 to 10.0.0.0/16 > > ${fwcmd} add 12 pipe 6 all from 10.0.0.0/16 to 192.168.0.0/16 > ${fwcmd} add 13 pipe 6 all from 192.168.0.0/16 to 10.0.0.0/16 > > ${fwcmd} add pipe 1 all from 10.0.0.22 to any > ${fwcmd} add pipe 2 all from any to 10.0.0.22 > > ${fwcmd} add pipe 1 all from 10.0.0.23 to any > ${fwcmd} add pipe 2 all from any to 10.0.0.23 > > ${fwcmd} add pipe 1 all from 10.0.1.22 to any > ${fwcmd} add pipe 2 all from any to 10.0.1.22 > > firewall# ipfw show > 00001 0 0 allow ip from any to any via lo0 > 00002 0 0 deny ip from any to 127.0.0.0/8 > 00003 0 0 deny ip from 127.0.0.0/8 to any > 00005 0 0 pipe 6 ip from 10.0.0.0/16 to 200.xxx.xxx.xxx/26 > 00006 0 0 pipe 6 ip from 200.xxx.xxx.xxx/26 to 10.0.0.0/16 > 00007 0 0 pipe 6 ip from 10.0.0.0/16 to 201.xxx.xxx.xxx/27 > 00008 0 0 pipe 6 ip from 201.xxx.xxx.xxx/27 to 10.0.0.0/16 > 00009 0 0 pipe 6 ip from 10.0.0.0/16 to 189.xxx.xxx.xxx/27 > 00010 0 0 pipe 6 ip from 189.xxx.xxx.xxx/27 to 10.0.0.0/16 > 00011 120 10290 pipe 6 ip from 10.0.0.0/16 to 10.0.0.0/16 > 00012 0 0 pipe 6 ip from 10.0.0.0/16 to 192.168.0.0/16 > 00013 0 0 pipe 6 ip from 192.168.0.0/16 to 10.0.0.0/16 > 00023 0 0 pipe 1 ip from 10.0.0.22 to any > 00033 0 0 pipe 2 ip from any to 10.0.0.22 > 00043 0 0 pipe 1 ip from 10.0.0.23 to any > 00053 0 0 pipe 2 ip from any to 10.0.0.23 > 00063 0 0 pipe 1 ip from 10.0.1.22 to any > 00073 0 0 pipe 2 ip from any to 10.0.1.22 > 65535 1180136 254268606 allow ip from any to any > > firewall# cat /etc/rc.conf > defaultrouter="200.xxx.xxx.xxx" > hostname="firewall.exam.br" > ifconfig_le0="inet 10.0.0.1 netmask 255.255.0.0" > ifconfig_le1="inet 200.xxx.xxx.xxx netmask 255.255.255.128" > > sshd_enable="YES" > > firewall_enable="YES" > firewall_script="/etc/ipfw.conf" > firewall_type="UNKNOWN" > dummynet_enable="YES" > > pf_enable="YES" > pf_rules="/etc/pf.conf" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > > ftpproxy_enable="YES" > squid_enable="YES" > > > Alguma sugestão? Faltou ativar alguma coisa? Tenho o mesmo firewall ipfw > rodando numa bridge e funciona perfeitamente. > > obs: acho que esse assunto já deve ter sido bastante discutido aqui mas não > encontrei nada que resolvesse meu problema por isso recorro aos amigos. > > Att, > Hitch >
Boa noite. Eu utilizei o ipfw/dummynet junto ao pf tempos atrás, a única diferença que me recordo nesse momento são: Carreguei o ipfw depois do pf. Nas regras do ipfw/dummynet utilizei a interface interna nos pipes. Não me recordo ao certo, mas pela manhã vou procurar e te informo. Algo como: $fw pipe 10 config mask src-ip 0x000000ff bw 512Kbit/s $fw pipe 20 config mask dst-ip 0x000000ff bw 512Kbit/s $fw add 10 pipe 10 ip from 192.168.100.1/32 to any via ${int_if} $fw add 20 pipe 20 ip from any to 192.168.100.1/32 via ${int_if} $fw add 100 allow ip from any to any Boa noite. ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd