[FUG-BR] FIREWALL IPFW + PF

[Hitch Cock]

Pessoal,

to montando um firewall com ipfw + pf e vou usar o ipfw para fazer o
controle de banda das estações e o pf para os filtros e nat.

A parte pf está funcionando perfeitamente porém o ipfw quando ativado está
bloqueando toda estação que tenta atravessar o gw mesmo eu usando default
accept.

Segue minhas configurações.

firewall# uname -a
FreeBSD firewall.exam.br 7.2-STABLE FreeBSD 7.2-STABLE #1: Tue Aug  4
19:16:54 BRT 2009
r...@firewall.exam.br:/usr/obj/usr/src/sys/GENERICwithPFandIPFW
i386

firewall# cat /etc/ipfw.conf
#!/bin/sh

fwcmd=/sbin/ipfw

${fwcmd} -f flush
${fwcmd} -f pipe flush

${fwcmd} pipe 1 config bw 64Kbit/s queue 5Kbytes mask all
${fwcmd} pipe 2 config bw 128Kbit/s queue 10Kbytes mask all
${fwcmd} pipe 3 config bw 256Kbit/s queue 25Kbytes mask all
${fwcmd} pipe 4 config bw 512Kbit/s queue 50Kbytes mask all
${fwcmd} pipe 5 config bw 1024Kbit/s queue 100Kbytes mask all
${fwcmd} pipe 6 config bw 0Mbit/s

${fwcmd} add 1 pass all from any to any via lo0
${fwcmd} add 2 deny all from any to 127.0.0.0/8
${fwcmd} add 3 deny ip from 127.0.0.0/8 to any

${fwcmd} add 5 pipe 6 all from 10.0.0.0/16 to 200.xxx.xxx.xxx/26
${fwcmd} add 6 pipe 6 all from 200.xxx.xxx.xxx/26 to 10.0.0.0/16

${fwcmd} add 7 pipe 6 all from 10.0.0.0/16 to 201.xxx.xxx.xxx/27
${fwcmd} add 8 pipe 6 all from 201.xxx.xxx.xxx/27 to 10.0.0.0/16

${fwcmd} add 9 pipe 6 all from 10.0.0.0/16 to 189.xxx.xxx.xxx/27
${fwcmd} add 10 pipe 6 all from 189.xxx.xxx.xxx/27 to 10.0.0.0/16

${fwcmd} add 11 pipe 6 all from 10.0.0.0/16 to 10.0.0.0/16

${fwcmd} add 12 pipe 6 all from 10.0.0.0/16 to 192.168.0.0/16
${fwcmd} add 13 pipe 6 all from 192.168.0.0/16 to 10.0.0.0/16

${fwcmd} add pipe 1 all from 10.0.0.22 to any
${fwcmd} add pipe 2 all from any to 10.0.0.22

${fwcmd} add pipe 1 all from 10.0.0.23 to any
${fwcmd} add pipe 2 all from any to 10.0.0.23

${fwcmd} add pipe 1 all from 10.0.1.22 to any
${fwcmd} add pipe 2 all from any to 10.0.1.22

firewall# ipfw show
1   0 0 allow ip from any to any via lo0
2   0 0 deny ip from any to 127.0.0.0/8
3   0 0 deny ip from 127.0.0.0/8 to any
5   0 0 pipe 6 ip from 10.0.0.0/16 to 200.xxx.xxx.xxx/26
6   0 0 pipe 6 ip from 200.xxx.xxx.xxx/26 to 10.0.0.0/16
7   0 0 pipe 6 ip from 10.0.0.0/16 to 201.xxx.xxx.xxx/27
8   0 0 pipe 6 ip from 201.xxx.xxx.xxx/27 to 10.0.0.0/16
9   0 0 pipe 6 ip from 10.0.0.0/16 to 189.xxx.xxx.xxx/27
00010   0 0 pipe 6 ip from 189.xxx.xxx.xxx/27 to 10.0.0.0/16
00011 120 10290 pipe 6 ip from 10.0.0.0/16 to 10.0.0.0/16
00012   0 0 pipe 6 ip from 10.0.0.0/16 to 192.168.0.0/16
00013   0 0 pipe 6 ip from 192.168.0.0/16 to 10.0.0.0/16
00023   0 0 pipe 1 ip from 10.0.0.22 to any
00033   0 0 pipe 2 ip from any to 10.0.0.22
00043   0 0 pipe 1 ip from 10.0.0.23 to any
00053   0 0 pipe 2 ip from any to 10.0.0.23
00063   0 0 pipe 1 ip from 10.0.1.22 to any
00073   0 0 pipe 2 ip from any to 10.0.1.22
65535 1180136 254268606 allow ip from any to any

firewall# cat /etc/rc.conf
defaultrouter=200.xxx.xxx.xxx
hostname=firewall.exam.br
ifconfig_le0=inet 10.0.0.1 netmask 255.255.0.0
ifconfig_le1=inet 200.xxx.xxx.xxx netmask 255.255.255.128

sshd_enable=YES

firewall_enable=YES
firewall_script=/etc/ipfw.conf
firewall_type=UNKNOWN
dummynet_enable=YES

pf_enable=YES
pf_rules=/etc/pf.conf
pflog_enable=YES
pflog_logfile=/var/log/pflog

ftpproxy_enable=YES
squid_enable=YES


Alguma sugestão? Faltou ativar alguma coisa? Tenho o mesmo firewall ipfw
rodando numa bridge e funciona perfeitamente.

obs: acho que esse assunto já deve ter sido bastante discutido aqui mas não
encontrei nada que resolvesse meu problema por isso recorro aos amigos.

Att,
Hitch
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Re: [FUG-BR] FIREWALL IPFW + PF

[Wanderson Tinti]

2009/8/27 Hitch Cock net.hitch@gmail.com

 Pessoal,

 to montando um firewall com ipfw + pf e vou usar o ipfw para fazer o
 controle de banda das estações e o pf para os filtros e nat.

 A parte pf está funcionando perfeitamente porém o ipfw quando ativado está
 bloqueando toda estação que tenta atravessar o gw mesmo eu usando default
 accept.

 Segue minhas configurações.

 firewall# uname -a
 FreeBSD firewall.exam.br 7.2-STABLE FreeBSD 7.2-STABLE #1: Tue Aug  4
 19:16:54 BRT 2009
 r...@firewall.exam.br:/usr/obj/usr/src/sys/GENERICwithPFandIPFW
 i386

 firewall# cat /etc/ipfw.conf
 #!/bin/sh

 fwcmd=/sbin/ipfw

 ${fwcmd} -f flush
 ${fwcmd} -f pipe flush

 ${fwcmd} pipe 1 config bw 64Kbit/s queue 5Kbytes mask all
 ${fwcmd} pipe 2 config bw 128Kbit/s queue 10Kbytes mask all
 ${fwcmd} pipe 3 config bw 256Kbit/s queue 25Kbytes mask all
 ${fwcmd} pipe 4 config bw 512Kbit/s queue 50Kbytes mask all
 ${fwcmd} pipe 5 config bw 1024Kbit/s queue 100Kbytes mask all
 ${fwcmd} pipe 6 config bw 0Mbit/s

 ${fwcmd} add 1 pass all from any to any via lo0
 ${fwcmd} add 2 deny all from any to 127.0.0.0/8
 ${fwcmd} add 3 deny ip from 127.0.0.0/8 to any

 ${fwcmd} add 5 pipe 6 all from 10.0.0.0/16 to 200.xxx.xxx.xxx/26
 ${fwcmd} add 6 pipe 6 all from 200.xxx.xxx.xxx/26 to 10.0.0.0/16

 ${fwcmd} add 7 pipe 6 all from 10.0.0.0/16 to 201.xxx.xxx.xxx/27
 ${fwcmd} add 8 pipe 6 all from 201.xxx.xxx.xxx/27 to 10.0.0.0/16

 ${fwcmd} add 9 pipe 6 all from 10.0.0.0/16 to 189.xxx.xxx.xxx/27
 ${fwcmd} add 10 pipe 6 all from 189.xxx.xxx.xxx/27 to 10.0.0.0/16

 ${fwcmd} add 11 pipe 6 all from 10.0.0.0/16 to 10.0.0.0/16

 ${fwcmd} add 12 pipe 6 all from 10.0.0.0/16 to 192.168.0.0/16
 ${fwcmd} add 13 pipe 6 all from 192.168.0.0/16 to 10.0.0.0/16

 ${fwcmd} add pipe 1 all from 10.0.0.22 to any
 ${fwcmd} add pipe 2 all from any to 10.0.0.22

 ${fwcmd} add pipe 1 all from 10.0.0.23 to any
 ${fwcmd} add pipe 2 all from any to 10.0.0.23

 ${fwcmd} add pipe 1 all from 10.0.1.22 to any
 ${fwcmd} add pipe 2 all from any to 10.0.1.22

 firewall# ipfw show
 1   0 0 allow ip from any to any via lo0
 2   0 0 deny ip from any to 127.0.0.0/8
 3   0 0 deny ip from 127.0.0.0/8 to any
 5   0 0 pipe 6 ip from 10.0.0.0/16 to 200.xxx.xxx.xxx/26
 6   0 0 pipe 6 ip from 200.xxx.xxx.xxx/26 to 10.0.0.0/16
 7   0 0 pipe 6 ip from 10.0.0.0/16 to 201.xxx.xxx.xxx/27
 8   0 0 pipe 6 ip from 201.xxx.xxx.xxx/27 to 10.0.0.0/16
 9   0 0 pipe 6 ip from 10.0.0.0/16 to 189.xxx.xxx.xxx/27
 00010   0 0 pipe 6 ip from 189.xxx.xxx.xxx/27 to 10.0.0.0/16
 00011 120 10290 pipe 6 ip from 10.0.0.0/16 to 10.0.0.0/16
 00012   0 0 pipe 6 ip from 10.0.0.0/16 to 192.168.0.0/16
 00013   0 0 pipe 6 ip from 192.168.0.0/16 to 10.0.0.0/16
 00023   0 0 pipe 1 ip from 10.0.0.22 to any
 00033   0 0 pipe 2 ip from any to 10.0.0.22
 00043   0 0 pipe 1 ip from 10.0.0.23 to any
 00053   0 0 pipe 2 ip from any to 10.0.0.23
 00063   0 0 pipe 1 ip from 10.0.1.22 to any
 00073   0 0 pipe 2 ip from any to 10.0.1.22
 65535 1180136 254268606 allow ip from any to any

 firewall# cat /etc/rc.conf
 defaultrouter=200.xxx.xxx.xxx
 hostname=firewall.exam.br
 ifconfig_le0=inet 10.0.0.1 netmask 255.255.0.0
 ifconfig_le1=inet 200.xxx.xxx.xxx netmask 255.255.255.128

 sshd_enable=YES

 firewall_enable=YES
 firewall_script=/etc/ipfw.conf
 firewall_type=UNKNOWN
 dummynet_enable=YES

 pf_enable=YES
 pf_rules=/etc/pf.conf
 pflog_enable=YES
 pflog_logfile=/var/log/pflog

 ftpproxy_enable=YES
 squid_enable=YES


 Alguma sugestão? Faltou ativar alguma coisa? Tenho o mesmo firewall ipfw
 rodando numa bridge e funciona perfeitamente.

 obs: acho que esse assunto já deve ter sido bastante discutido aqui mas não
 encontrei nada que resolvesse meu problema por isso recorro aos amigos.

 Att,
 Hitch


Boa noite.

Eu utilizei o ipfw/dummynet junto ao pf tempos atrás, a única diferença que
me recordo nesse momento são: Carreguei o ipfw depois do pf. Nas regras do
ipfw/dummynet utilizei a interface interna nos pipes. Não me recordo ao
certo, mas pela manhã vou procurar e te informo.

Algo como:

$fw pipe 10 config mask src-ip 0x00ff bw 512Kbit/s
$fw pipe 20 config mask dst-ip 0x00ff bw 512Kbit/s
$fw add 10  pipe 10 ip from 192.168.100.1/32 to any via ${int_if}
$fw add 20  pipe 20 ip from any to 192.168.100.1/32 via ${int_if}
$fw add 100 allow ip from any to any

Boa noite.
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd