Ola pessoal. Eu sei que tem muita gente craque em pf por aqui.
Eu fiz este pf.conf baseado nos muitos e muitos exemplos que consegui achar na net (inclusive aqui na lista) e adaptando para as minhas necessidades. Ele é meio longo por isso coloquei ele no final. Tudo Funciona!. VPN de fora pra dentro e vice-versa, SSH, roteamento, navegação, bloqueios, tudo ! O problema é que apenas o rdr do ssh (lo0) e o do ftp estão funcionando. Nenhum dos outros funciona ! Tentando acessar o servidor interno https por ex., eu vejo a seguinte saida de tcpdump -n -e -ttt -s 256 -i pflog0 : 00:00:00.000000 rule 21/0(match): pass in on sis0: 189.70.214.63.54429 > 172.16.3.135.443: Flags [S], seq 2411890221, win 65535, options [mss 1440,nop,wscale 4,sackOK,TS val 12824091 ecr 0], length 0 00:00:00.000071 rule 27/0(match): pass out on dc0: 189.70.214.63.54429 > 172.16.3.135.443: Flags [S], seq 2411890221, win 65535, options [mss 1440,nop,wscale 4,sackOK,TS val 2357217445 ecr 0], length 0 e fica nisso !. Nenhum block aparece, a conexão não completa e o browser dá timeout. No entanto, fazendo via vpn, ela fecha rapidinho, e eu acesso o servidor direto por ela: 00:00:32.268808 rule 17/0(match): pass in on sis0: 189.70.214.63.55888 > x.y.z.w.1723: Flags [S] 00:00:00.133998 rule 0/0(match): pass out on lo0: 189.70.214.63.55888 > x.y.z.w.1723: Flags [S] 00:00:00.000047 rule 0/0(match): pass in on lo0: 189.70.214.63.55888 > x.y.z.w.1723: Flags [S] 00:00:00.416092 rule 87/0(match): pass out on sis0: x.y.z.w.9594 > 200.255.255.65.53: 00:00:00.020566 rule 16/0(match): pass in on sis0: 189.70.214.63 > x.y.z.w: GREv1, call 5504, seq 0, proto PPP (0x880b) 00:00:00.076102 rule 78/0(match): pass out on dc0: 172.16.3.150.25793 > 172.16.3.133.1812: RADIUS, Access Request 00:00:00.076784 rule 78/0(match): pass out on dc0: 172.16.3.150.28900 > 172.16.3.133.1813: RADIUS, Accounting Request # ja acessando pela vpn 00:00:07.015407 rule 1/0(match): pass in on tun0: 172.16.3.237.60733 > 172.16.3.135.443: Flags [S], seq 3902572411, win 65535, options [mss 1256,nop,wscale 4,sackOK,TS val 13013947 ecr 0], length 0 00:00:00.000075 rule 27/0(match): pass out on dc0: 172.16.3.237.60733 > 172.16.3.135.443: Flags [S], E eu PRECISO acessar estes servicos de fora de todo jeito!. Já estou ha dias tentando e mexendo sem sucesso. Eu até pensei no IPFW mas eu já to acostumado com o pf e eu não saberia adaptar estas regras. Seria uma engenharia acima da minha capacidade. Agradeço de coração àqueles que puderem me ajudar. Abraços, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winfoes FREE) sysctl.conf ================================================================ security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 debug.cpufreq.lowest=400 vfs.read_max=32 kern.maxfiles=204800 kern.maxfilesperproc=200000 kern.maxvnodes=200000 kern.ipc.shmmax=67108864 kern.ipc.shmall=16384 kern.ipc.maxsockets=204800 kern.ipc.maxsockbuf=262144 kern.ipc.somaxconn=4096 net.link.ether.inet.proxyall=1 net.inet.tcp.rfc1323=1 net.inet.tcp.drop_synfin=1 net.inet.ip.fastforwarding=1 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.intr_queue_maxlen=1000 net.inet.ip.dummynet.hash_size=256 net.inet.icmp.drop_redirect=1 net.inet.icmp.icmplim=800 net.inet.icmp.icmplim_output=0 pf.conf ====================================================================== ### Interfaces ### vpn_if="tun" ext_if="sis0" aln_if="dc0" lab_if="vr0" prm_if="rl0" my_int_ip = "172.16.3.150" my_ext_ip = "x.y.z.w" ### Networks ### int_nets = "{ 172.16.3.0/24, 192.168.0.1/24, 10.10.10.0/24 }" ### Hosts ### # Users mario = "172.16.3.12" izabel = "172.16.3.38" cecilia = "172.16.3.56" viniciusT= "172.16.3.250" # Servers srecallen01= "172.16.3.130" ad_dns = "172.16.3.133" sql_server = "172.16.3.134" exchange = "172.16.3.135" endpoint = "172.16.3.137" srecallen02= "172.16.3.140" quarentena = "172.16.3.141" file_server= "172.16.3.142" wsus = "172.16.3.143" changepoint= "172.16.3.144" vrecfbsd = "172.16.3.145" recife = "172.16.3.1" bonito = "172.16.3.2" olinda = "172.16.3.3" camera1 = "172.16.3.198" camera2 = "172.16.3.199" # Groups table <cameras> const { 172.16.3.198, 172.16.3.199 } table <hiperdot> const { 172.16.3.41, 172.16.3.58 } table <livres> const { $mario, $izabel, $cecilia, $viniciusT } # Non-public/weird addresses, doesn't include our 10.10.10.x,172.16.3.x, # 192.168.0.x subnets, anything in here shouldn't be going anywhere table <banned> { 0.0.0.0/8, 169.254.0.0/16, 224.0.0.0/3, 204.152.64.0/23 } # Services that listen only at 127.0.0.1 FtpPort = "8021" SshPort = "5952" # Allowed ports Allow_tcp_ports_aln = "{53, 80, 443, 143, 445, 1433, 1863, 110, 3000, 5061, 1723, 3389, 135, 25}" Allow_tcp_ports_lab = "{53, 80, 443}" Allow_tcp_ports_prm = "{53, 80, 443}" Allow_udp_ports_aln = "{53, 500}" Allow_udp_ports_lab = "{53, 500}" Allow_udp_ports_prm = "{53, 500}" ################[ Options ]################################### ### most of these default are fine # We want to sent ICMP RST or unreachable set block-policy drop # Bind states to interfaces so we can have a queue for each interface set state-policy if-bound set ruleset-optimization none set require-order yes set loginterface $ext_if # set fingerprints "/etc/pf.os" # set optimization aggressive set optimization normal set timeout { frag 10, tcp.established 3600 } set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { other.first 30, other.single 30, other.multiple 30 } set timeout { adaptive.start 5000, adaptive.end 10000 } ################[ Normalization ]############################# ### reassemble fragments and resolve or reduce traffic ambiguities. scrub on $ext_if all random-id min-ttl 254 max-mss 1472 reassemble tcp fragment reassemble scrub on $aln_if all random-id reassemble tcp fragment reassemble scrub on $lab_if all random-id reassemble tcp fragment reassemble scrub on $prm_if all random-id reassemble tcp fragment reassemble # Don't normalize traffic on the loopback ################[ Queueing ]################################## ### download queues altq on $aln_if bandwidth 100Mb hfsc queue { ether_aln, nattraffic_aln } # Ethernet traffic queue ether_aln hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0 queue nattraffic_aln hfsc ( upperlimit 400Kb ) bandwidth 420Kb { toint_pri_aln, toint_def_aln } queue toint_pri_aln qlimit 10 hfsc ( red, realtime 35%, linkshare 50% ) priority 4 bandwidth 70% queue toint_def_aln qlimit 10 hfsc ( red, realtime 15%, linkshare 30% ) priority 3 bandwidth 20% altq on $lab_if bandwidth 100Mb hfsc queue { ether_lab, nattraffic_lab } # Ethernet traffic queue ether_lab hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0 queue nattraffic_lab hfsc ( upperlimit 400Kb ) bandwidth 420Kb { toint_pri_lab, toint_def_lab } queue toint_pri_lab qlimit 10 hfsc ( red, realtime 35%, linkshare 50% ) priority 4 bandwidth 70% queue toint_def_lab qlimit 10 hfsc ( red, realtime 15%, linkshare 30% ) priority 3 bandwidth 20% altq on $prm_if bandwidth 100Mb hfsc queue { ether_prm, nattraffic_prm } # Ethernet traffic queue ether_prm hfsc ( default, upperlimit 70% ) bandwidth 10% priority 0 queue nattraffic_prm hfsc ( upperlimit 400Kb ) bandwidth 420Kb { toint_pri_prm, toint_def_prm } queue toint_pri_prm qlimit 10 hfsc ( red, realtime 35%, linkshare 50% ) priority 4 bandwidth 70% queue toint_def_prm qlimit 10 hfsc ( red, realtime 15%, linkshare 30% ) priority 3 bandwidth 20% ### upload queue # External interface, stuff which goes out on this interface has 1024Kb bandwidth altq on $ext_if hfsc ( upperlimit 900Kb ) bandwidth 990Kb queue { fromint_pri, fromint_def, server, fromint_ack } # From others queue fromint_pri hfsc ( realtime 360Kb ) bandwidth 10% queue fromint_def hfsc ( realtime 180Kb ) bandwidth 10% # To the server from external queue server hfsc ( default ) bandwidth 10% # TCP ACK packets, saying we've got a packet, we have to get these off asap queue fromint_ack hfsc ( realtime 5Kb ) bandwidth 10% priority 7 ################[ Translation ]############################### ### specify how addresses are to be mapped or redirected. nat on $ext_if from { $aln_if:network, $lab_if:network, $prm_if:network } to any -> ($ext_if:0) port 1024:65535 # ssh rdr on $ext_if inet proto tcp from any to ($ext_if) port $SshPort -> lo0 port $SshPort rdr on $aln_if inet proto tcp from any to $aln_if port $SshPort -> lo0 port $SshPort # Allen Hosts # mail /owa rdr on $ext_if inet proto tcp from any to ($ext_if) port smtp -> $exchange port smtp rdr on $ext_if inet proto tcp from any to ($ext_if) port https -> $exchange port https # changepoint rdr pass on $ext_if inet proto tcp rom any to ($ext_if) port http -> $olinda port http rdr on $ext_if inet proto tcp from any to ($ext_if) port 444 -> $olinda port 444 # cameras rdr on $ext_if inet proto tcp from any to ($ext_if) port 81 -> $camera1 port 81 rdr on $ext_if inet proto tcp from any to ($ext_if) port 82 -> $camera2 port 82 # ftp nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $aln_if inet proto tcp from $aln_if:network to any port ftp -> lo0 port $FtpPort rdr on $lab_if inet proto tcp from $lab_if:network to any port ftp -> lo0 port $FtpPort rdr on $prm_if inet proto tcp from $prm_if:network to any port ftp -> lo0 port $FtpPort ################[ Filtering ]################################# pass log quick on lo0 all pass log quick on $vpn_if all keep state # no traffic is trying to get into the loopback interface from outside. # block quick from any to lo0:network #--- Making sure all traffic is coming to/going from the right interface # Make sure no banned addresses are around block log quick from <banned> to any block log quick from any to <banned> # all traffic to/from the internal network is addressed to/from the internal # network block in log on $aln_if from !$aln_if:network to any block out log on $aln_if from any to !$aln_if:network block in log on $lab_if from !$lab_if:network to any block out log on $lab_if from any to !$lab_if:network block in log on $prm_if from !$prm_if:network to any block out log on $prm_if from any to !$prm_if:network # all traffic to/from the external network is addressed to/from our external # address specifically block in log on $ext_if from any to !($ext_if) block out log on $ext_if from !($ext_if) to any block in log quick from no-route to any block in log quick on $ext_if from urpf-failed to any block in log quick on $ext_if from any to 255.255.255.255 # <<< INPUT >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # from INTERNET pass in on $ext_if inet proto icmp from any to ($ext_if) icmp- type 8 code 0 keep state # vpn pass in log quick on $ext_if inet proto gre all keep state queue ( server, fromint_ack ) pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port pptp flags S/SAFR synproxy state queue ( server, fromint_ack ) # redirects from outside --------------------------------------------------- pass in log quick on $ext_if inet proto tcp from any to lo0 port $SshPort flags S/SAFR synproxy state (max 30, source-track rule, max-src-nodes 10, max-src-states 2, max-src-conn 2, max-src-conn-rate 2/60, overload <banned>) queue ( server, fromint_ack ) pass in log on $ext_if inet proto tcp from any to $exchange port smtp flags S/SAFR synproxy state (max 100, source-track rule, max-src-states 5, max-src-nodes 30, max-src-conn-rate 10/300, overload <banned> flush global, tcp.established 45) queue ( server, fromint_ack ) pass in log on $ext_if inet proto tcp from any to $olinda port http flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass in log quick on $ext_if inet proto tcp from any to $exchange port 443 flags S/SA keep state (max 9000, source-track rule, max-src-conn 2000, max- src-nodes 254) queue ( server, fromint_ack ) pass in log on $ext_if inet proto tcp from any to $olinda port 444 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass in log on $ext_if inet proto tcp from any to $camera1 port 81 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass in log on $ext_if inet proto tcp from any to $camera2 port 82 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) #--------------------------------------------------------------------- pass out log on $aln_if inet proto tcp from any to $exchange port smtp flags S/SAFR synproxy state (max 100, source-track rule, max-src-states 5, max-src-nodes 30, max-src-conn-rate 10/300, overload <banned> flush global, tcp.established 45) queue ( server, fromint_ack ) pass out log on $aln_if inet proto tcp from any to $olinda port http flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass out log quick on $aln_if inet proto tcp from any to $exchange port 443 flags S/SA keep state (max 1000, source-track rule, max-src-nodes 50, max-src- states 30, max-src-conn 30, overload <banned> flush global) queue ether_aln pass out log on $aln_if inet proto tcp from any to $olinda port 444 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass out log on $aln_if inet proto tcp from any to $camera1 port 81 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) pass out log on $aln_if inet proto tcp from any to $camera2 port 82 flags S/SAFR synproxy state (max 1000, source-track rule, max-src-nodes 50, max-src-states 30, max-src-conn 30, overload <banned> flush global) queue ( server, fromint_ack ) # from LAN pass in log quick on $aln_if proto tcp from any to lo0 port $SshPort flags S/SAFR synproxy state (max 20, source-track rule, max-src-nodes 2, max-src- states 10) queue ether_aln # pass in log quick on $aln_if proto tcp from any to lo0 port 3128 flags S/SAFR synproxy state (max 2000, source-track rule, max-src-nodes 20, max-src- states 100) queue ether_aln # <<< FORWARD >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #--- Let out NAT traffic from the internal network to the internet pass in log quick on $aln_if from $my_int_ip to !$aln_if keep state tag fromint_pri queue ( toint_pri_aln ) pass in log quick on $lab_if from 192.168.0.1 to !$lab_if keep state tag fromint_pri queue ( toint_pri_lab ) pass in log quick on $prm_if from 10.10.10.1 to !$prm_if keep state tag fromint_pri queue ( toint_pri_prm ) pass in log quick on $aln_if inet proto gre all keep state tag fromint_pri queue ( toint_pri_aln ) pass in log quick on $aln_if inet proto tcp from $aln_if:network to ! $aln_if port $Allow_tcp_ports_aln keep state tag fromint_def queue ( toint_def_aln ) pass in log quick on $lab_if inet proto tcp from $lab_if:network to ! $lab_if port $Allow_tcp_ports_lab keep state tag fromint_def queue ( toint_def_lab ) pass in log quick on $prm_if inet proto tcp from $prm_if:network to ! $prm_if port $Allow_tcp_ports_prm keep state tag fromint_def queue ( toint_def_prm ) pass in log quick on $aln_if inet proto udp from $aln_if:network to ! $aln_if port $Allow_udp_ports_aln keep state tag fromint_def queue ( toint_def_aln ) pass in log quick on $lab_if inet proto udp from $lab_if:network to ! $lab_if port $Allow_udp_ports_lab keep state tag fromint_def queue ( toint_def_lab ) pass in log quick on $prm_if inet proto udp from $prm_if:network to ! $prm_if port $Allow_udp_ports_prm keep state tag fromint_def queue ( toint_def_prm ) pass in log on $aln_if inet proto icmp from $aln_if:network to ! $aln_if icmp-type 8 code 0 keep state tag fromint_def pass in log on $lab_if inet proto icmp from $lab_if:network to ! $lab_if icmp-type 8 code 0 keep state tag fromint_def pass in log on $prm_if inet proto icmp from $prm_if:network to ! $prm_if icmp-type 8 code 0 keep state tag fromint_def # We have to create a state on the external interface for traffic that has # been passed, so that we can create an upload queue. pass out log quick on $ext_if tagged fromint_pri keep state queue ( fromint_pri, fromint_ack ) pass out log quick on $ext_if tagged fromint_def keep state queue ( fromint_def, fromint_ack ) # <<< OUTPUT >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #--- Don't let restricted users initiate their own connections block out log quick from any to any user { www, nobody, games, news, man, smmsp, mailnull, pop, uucp, bind } #--- Allow networks to see themselves pass log quick on $aln_if inet proto { tcp, udp, icmp } from $aln_if:network to $aln_if:network keep state queue ether_aln pass log quick on $lab_if inet proto { tcp, udp, icmp } from $lab_if:network to $lab_if:network keep state queue ether_lab pass log quick on $prm_if inet proto { tcp, udp, icmp } from $prm_if:network to $prm_if:network keep state queue ether_prm #--- Allow connections from this server pass log quick on $ext_if inet proto { tcp, udp, icmp } from $my_ext_ip to any keep state queue ( server, fromint_ack ) pass log quick on $aln_if inet proto { tcp, udp, icmp } from $my_int_ip to any keep state queue ( toint_pri_aln ) pass log quick on $lab_if inet proto { tcp, udp, icmp } from 192.168.0.1 to any keep state queue ( toint_pri_lab ) pass log quick on $prm_if inet proto { tcp, udp, icmp } from 10.10.10.1 to any keep state queue ( toint_pri_prm ) block log all ============================================================================== ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
