Re: [FreeBSD] Freebsd + PF
tekrar merhabalar,
kurallarımın en başında belirtmiş olduğum
block in log-all all
block out log-all all
pass in quick on lo0 all
pass out quick on lo0 all
bu satırlarından sonra iç ağdaki kullanıcılarıma fw belli portlara ulaşma izini
verdim
pass in quick on $int_if proto tcp from $lan_net to any port {
22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state
daha sonra fw nin dış modemlere bakan interfacelerinede çıkış izini verdim
pass out on $ext_if proto {tcp,udp} from $fwips to any keep state
pass out on $ext_if2 proto {tcp,udp} from $fwips to any keep state
iç ağdaki kullanıcılarım fw üzerinde izin verdiğim portlara bağlanabiliyorlar
problem yok ama izin vermeme rağmen dışarıdaki bir mail serverada
bağlanabiliyorlar.
bunu nasıl engelleyebilirim.
- Original Message --pass in quick on $int_if proto tcp from $lan_net to
any port { 22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state
From: vys
To: freebsd@lists.enderunix.org
Sent: Wednesday, April 16, 2008 8:55 AM
Subject: Re: [FreeBSD] Freebsd + PF
Huzeyfe hocam bu değerli bilgiler için teşekkür ederim
sağlıçakla kalın
- Original Message -
From: Huzeyfe ONAL
To: freebsd@lists.enderunix.org
Sent: Tuesday, April 15, 2008 9:34 PM
Subject: RE: [FreeBSD] Freebsd + PF
Merhabalar,
1-3)ext_if uzerinden paketleri cikis ipleri ext_if2 olacak sekilde
natliyorum ve bu paketleri IF2 olarak isaretliyorum, sonra filtreleme kisminda
IF2 seklinde isaretlenmis paketleri diger arabirime gonderiyorum.
2) ext_if:0 daki :0 o arabirime ait ilk ip adresi manasina geliyor. Kendi
sistemimde ext_if uzerinde birden fazla ip adresi oldugu icin ilk ip adresini
kullanmam icin o sekilde belirtmem gerekiyor J
From: vys [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 15, 2008 8:36 PM
To: freebsd@lists.enderunix.org
Subject: Re: [FreeBSD] Freebsd + PF
Hocam Tekrar Mrb,
Kurallarımı sizin söylediğiniz şekilde düzenledim ve sistem şuan
çalışıyor.Fakat göndermiş olduğunuz kurallarda anlamadığım kısımlar var bunları
açıklamız mümkünmü acaba. konuyu daha iyi kavrama açısından.
1. nat on $ext_if proto tcp from self to any port smtp tag IF2 -
($ext_if2)
nat on $ext_if proto tcp from self to any port pop3 tag IF2 -
($ext_if2) burdaki smtp veya pop3 tag IF2 satırıyla ne yapmak istiyoruz tag
IF2 nedir.
2.pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from
any to $ext_if2:0 port 80 keep state
satırındaki $ext_if2:0 ne anlama geliyor
3.pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep
state
burda $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state ne
yapmak istiyoruz.
huzeyfe hocam inşallah çok fazla rahatsız etmemiyorumdur.
Saygılar..
- Original Message - nat on $ext_if proto tcp from self to any
port smtp tag IF2 - ($ext_if2)
nat on $ext_if proto tcp from self to any port pop3 tag IF2 - ($ext_if2)
From: Huzeyfe ONAL
To: freebsd@lists.enderunix.org
Sent: Tuesday, April 15, 2008 7:13 PM
Subject: RE: [FreeBSD] Freebsd + PF
Selamlar,
SMTP icin asagidaki kurali kullanabilirsiniz. Diger protokolleri de buna
bakarak cogaltabilirsiniz.
pass in quick log (all) on $ext_if0 reply-to($ext_if0 $ext_gw0) proto tcp
from any to $ext_if0:0 port 25 keep state
Firewalldan cikacak smtp paketleri icin ornegi bir onceki mailimde
bulabilirsiniz.
--
From: vys [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 15, 2008 7:06 PM
To: freebsd@lists.enderunix.org
Subject: Re: [FreeBSD] Freebsd + PF
Huzeyfe Hocam Merhabalar,
Öncelikle konuyu daha anlamak açısından biraz daha örnekler veremeniz
mümkünmü acaba.
kullanılan sistem freebsd merak ettiğim konu ise sunucumdan attığım mail
veya başka bir şey 1. dsl den,sunucu üzerinden internette sörf yaparken 2.dsl
den çıkması için veya dışarıdaki bir ssh sunucusuna bağlandığımda 1. dsl den
çıksın gibi örnekleyerek verebilirseniz çok makbule geçer hocam.
saygılar
- Original Message -
From: Huzeyfe ONAL
To: freebsd@lists.enderunix.org
Sent: Tuesday, April 15, 2008 5:53 PM
Subject: RE: [FreeBSD] Freebsd + PF
Merhabalar,
Bir hat uzerinden gelen paketin ayni hattan geri donmesi icin reply-to
kullanmaniz gerekiyor.
Bunun haricinde route-to kavramini Firewall'un kendisi icin degil de
ic agdan gelen istekler icin bu sekilde kullanabilirsiniz. Firewallun
[FreeBSD] Fwd: Multipath routing - failover version
Bugun veya birkac gun once bahsi geciyordu sanirim. Multipath routing'i implement etmisler. Orijinal patch 4.8 icinmis, 6-1-RELEASE'e port etmisler. Bir adres icin birden fazla route girilmesine imkan taniyor. Aktif route, route'larin tanimlandigi interface'lerin link durumuna gore tespit ediliyor. Deneyip sonuclari bildirebilecek var mi? This is a forwarded message From: M.S. Motanu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wednesday, April 16, 2008, 1:37:26 PM Subject: Multipath routing - failover version ===8==Original message text=== I've ported the multipath routing patch by Ed Tanzer [EMAIL PROTECTED] https://mail.stsnet.ro/squirrelmail/src/compose.php?send_to=tanzer%40dsm.fordham.edu for FreeBSD 4.8-STABLE to FreeBSD 6.1-RELEASE. The patch modifies the kernel and the userland programs netstat and route so that for the same destination it is possible to specify two or more different gateways (paths). Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). The original patch did not have failover in mind, it addressed the problem of load balancing. But the same results can be achieved with this patch with minor changes to the code. The patch files and installation instructions can be downloaded from:http://miauris.freehostia.com/mpath/mpath.tar.gz Comments are welcomed! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ===8===End of original message text=== -- Murat, http://www.enderunix.org/murat/---BeginMessage--- I've ported the multipath routing patch by Ed Tanzer [EMAIL PROTECTED] https://mail.stsnet.ro/squirrelmail/src/compose.php?send_to=tanzer%40dsm.fordham.edu for FreeBSD 4.8-STABLE to FreeBSD 6.1-RELEASE. The patch modifies the kernel and the userland programs netstat and route so that for the same destination it is possible to specify two or more different gateways (paths). Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). The original patch did not have failover in mind, it addressed the problem of load balancing. But the same results can be achieved with this patch with minor changes to the code. The patch files and installation instructions can be downloaded from:http://miauris.freehostia.com/mpath/mpath.tar.gz Comments are welcomed! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ---End Message--- FreeBSD 6 kitabi: http://www.acikakademi.com/catalog/freebsd6 - Listeye soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz. Cikmak icin, e-mail: [EMAIL PROTECTED] Liste arsivi: http://news.gmane.org/gmane.org.user-groups.bsd.turkey
Re: [FreeBSD] Freebsd + PF
merhabalar bu konu pf ile ama ipfw... benim sistemim freebsd 7.0 sistem üzerinde dhcp squid squidguard çalışmakta makinalar.ip alıp browsere proxy tanıtmak koşuluyla int çkış yapabiliyorlar ama.. ping yada başka bir portu kullanan bir program çalıştıklarında int yokmuş gibi davranıyor halbuki ipfw de allow from ant to any kuralı geçerli ne yapmam lazım.
[FreeBSD] Fwd: RE: Multipath routing - failover version
8.0'a (-HEAD) eklemisler. Yakinda 7-STABLE'a MFC olur, takip etmek lazim. This is a forwarded message From: Li, Qing [EMAIL PROTECTED] To: M.S. Motanu [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Wednesday, April 16, 2008, 8:38:37 PM Subject: Multipath routing - failover version ===8==Original message text=== Hi, I recently incorporated multipath support into -CURRENT, for the upcoming 8.0. This patch originated from the KAME project and builds on the existing routing data structures and infrastructure. As a result I did not have to modify the userland programs, however, I think netstat can use some tweaking in its output. I am in the process of incorporating additional functionalities such as allowing for preference setting, and performing active health-check on the gateways and updating the routes accordingly. Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). Hmm... in the current code if_unroute() would remove the interface route when the interface is down. -- Qing ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ===8===End of original message text=== -- Murat, http://www.enderunix.org/murat/---BeginMessage--- Hi, I recently incorporated multipath support into -CURRENT, for the upcoming 8.0. This patch originated from the KAME project and builds on the existing routing data structures and infrastructure. As a result I did not have to modify the userland programs, however, I think netstat can use some tweaking in its output. I am in the process of incorporating additional functionalities such as allowing for preference setting, and performing active health-check on the gateways and updating the routes accordingly. Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). Hmm... in the current code if_unroute() would remove the interface route when the interface is down. -- Qing ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ---End Message--- FreeBSD 6 kitabi: http://www.acikakademi.com/catalog/freebsd6 - Listeye soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz. Cikmak icin, e-mail: [EMAIL PROTECTED] Liste arsivi: http://news.gmane.org/gmane.org.user-groups.bsd.turkey
