Re: [FreeBSD] Freebsd + PF
tekrar merhabalar, kurallarımın en başında belirtmiş olduğum block in log-all all block out log-all all pass in quick on lo0 all pass out quick on lo0 all bu satırlarından sonra iç ağdaki kullanıcılarıma fw belli portlara ulaşma izini verdim pass in quick on $int_if proto tcp from $lan_net to any port { 22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state daha sonra fw nin dış modemlere bakan interfacelerinede çıkış izini verdim pass out on $ext_if proto {tcp,udp} from $fwips to any keep state pass out on $ext_if2 proto {tcp,udp} from $fwips to any keep state iç ağdaki kullanıcılarım fw üzerinde izin verdiğim portlara bağlanabiliyorlar problem yok ama izin vermeme rağmen dışarıdaki bir mail serverada bağlanabiliyorlar. bunu nasıl engelleyebilirim. - Original Message --pass in quick on $int_if proto tcp from $lan_net to any port { 22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state From: vys To: freebsd@lists.enderunix.org Sent: Wednesday, April 16, 2008 8:55 AM Subject: Re: [FreeBSD] Freebsd + PF Huzeyfe hocam bu değerli bilgiler için teşekkür ederim sağlıçakla kalın - Original Message - From: Huzeyfe ONAL To: freebsd@lists.enderunix.org Sent: Tuesday, April 15, 2008 9:34 PM Subject: RE: [FreeBSD] Freebsd + PF Merhabalar, 1-3)ext_if uzerinden paketleri cikis ipleri ext_if2 olacak sekilde natliyorum ve bu paketleri IF2 olarak isaretliyorum, sonra filtreleme kisminda IF2 seklinde isaretlenmis paketleri diger arabirime gonderiyorum. 2) ext_if:0 daki :0 o arabirime ait ilk ip adresi manasina geliyor. Kendi sistemimde ext_if uzerinde birden fazla ip adresi oldugu icin ilk ip adresini kullanmam icin o sekilde belirtmem gerekiyor J From: vys [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 8:36 PM To: freebsd@lists.enderunix.org Subject: Re: [FreeBSD] Freebsd + PF Hocam Tekrar Mrb, Kurallarımı sizin söylediğiniz şekilde düzenledim ve sistem şuan çalışıyor.Fakat göndermiş olduğunuz kurallarda anlamadığım kısımlar var bunları açıklamız mümkünmü acaba. konuyu daha iyi kavrama açısından. 1. nat on $ext_if proto tcp from self to any port smtp tag IF2 - ($ext_if2) nat on $ext_if proto tcp from self to any port pop3 tag IF2 - ($ext_if2) burdaki smtp veya pop3 tag IF2 satırıyla ne yapmak istiyoruz tag IF2 nedir. 2.pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from any to $ext_if2:0 port 80 keep state satırındaki $ext_if2:0 ne anlama geliyor 3.pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state burda $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state ne yapmak istiyoruz. huzeyfe hocam inşallah çok fazla rahatsız etmemiyorumdur. Saygılar.. - Original Message - nat on $ext_if proto tcp from self to any port smtp tag IF2 - ($ext_if2) nat on $ext_if proto tcp from self to any port pop3 tag IF2 - ($ext_if2) From: Huzeyfe ONAL To: freebsd@lists.enderunix.org Sent: Tuesday, April 15, 2008 7:13 PM Subject: RE: [FreeBSD] Freebsd + PF Selamlar, SMTP icin asagidaki kurali kullanabilirsiniz. Diger protokolleri de buna bakarak cogaltabilirsiniz. pass in quick log (all) on $ext_if0 reply-to($ext_if0 $ext_gw0) proto tcp from any to $ext_if0:0 port 25 keep state Firewalldan cikacak smtp paketleri icin ornegi bir onceki mailimde bulabilirsiniz. -- From: vys [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 7:06 PM To: freebsd@lists.enderunix.org Subject: Re: [FreeBSD] Freebsd + PF Huzeyfe Hocam Merhabalar, Öncelikle konuyu daha anlamak açısından biraz daha örnekler veremeniz mümkünmü acaba. kullanılan sistem freebsd merak ettiğim konu ise sunucumdan attığım mail veya başka bir şey 1. dsl den,sunucu üzerinden internette sörf yaparken 2.dsl den çıkması için veya dışarıdaki bir ssh sunucusuna bağlandığımda 1. dsl den çıksın gibi örnekleyerek verebilirseniz çok makbule geçer hocam. saygılar - Original Message - From: Huzeyfe ONAL To: freebsd@lists.enderunix.org Sent: Tuesday, April 15, 2008 5:53 PM Subject: RE: [FreeBSD] Freebsd + PF Merhabalar, Bir hat uzerinden gelen paketin ayni hattan geri donmesi icin reply-to kullanmaniz gerekiyor. Bunun haricinde route-to kavramini Firewall'un kendisi icin degil de ic agdan gelen istekler icin bu sekilde kullanabilirsiniz. Firewallun
[FreeBSD] Fwd: Multipath routing - failover version
Bugun veya birkac gun once bahsi geciyordu sanirim. Multipath routing'i implement etmisler. Orijinal patch 4.8 icinmis, 6-1-RELEASE'e port etmisler. Bir adres icin birden fazla route girilmesine imkan taniyor. Aktif route, route'larin tanimlandigi interface'lerin link durumuna gore tespit ediliyor. Deneyip sonuclari bildirebilecek var mi? This is a forwarded message From: M.S. Motanu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wednesday, April 16, 2008, 1:37:26 PM Subject: Multipath routing - failover version ===8==Original message text=== I've ported the multipath routing patch by Ed Tanzer [EMAIL PROTECTED] https://mail.stsnet.ro/squirrelmail/src/compose.php?send_to=tanzer%40dsm.fordham.edu for FreeBSD 4.8-STABLE to FreeBSD 6.1-RELEASE. The patch modifies the kernel and the userland programs netstat and route so that for the same destination it is possible to specify two or more different gateways (paths). Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). The original patch did not have failover in mind, it addressed the problem of load balancing. But the same results can be achieved with this patch with minor changes to the code. The patch files and installation instructions can be downloaded from:http://miauris.freehostia.com/mpath/mpath.tar.gz Comments are welcomed! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ===8===End of original message text=== -- Murat, http://www.enderunix.org/murat/---BeginMessage--- I've ported the multipath routing patch by Ed Tanzer [EMAIL PROTECTED] https://mail.stsnet.ro/squirrelmail/src/compose.php?send_to=tanzer%40dsm.fordham.edu for FreeBSD 4.8-STABLE to FreeBSD 6.1-RELEASE. The patch modifies the kernel and the userland programs netstat and route so that for the same destination it is possible to specify two or more different gateways (paths). Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). The original patch did not have failover in mind, it addressed the problem of load balancing. But the same results can be achieved with this patch with minor changes to the code. The patch files and installation instructions can be downloaded from:http://miauris.freehostia.com/mpath/mpath.tar.gz Comments are welcomed! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ---End Message--- FreeBSD 6 kitabi: http://www.acikakademi.com/catalog/freebsd6 - Listeye soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz. Cikmak icin, e-mail: [EMAIL PROTECTED] Liste arsivi: http://news.gmane.org/gmane.org.user-groups.bsd.turkey
Re: [FreeBSD] Freebsd + PF
merhabalar bu konu pf ile ama ipfw... benim sistemim freebsd 7.0 sistem üzerinde dhcp squid squidguard çalışmakta makinalar.ip alıp browsere proxy tanıtmak koşuluyla int çkış yapabiliyorlar ama.. ping yada başka bir portu kullanan bir program çalıştıklarında int yokmuş gibi davranıyor halbuki ipfw de allow from ant to any kuralı geçerli ne yapmam lazım.
[FreeBSD] Fwd: RE: Multipath routing - failover version
8.0'a (-HEAD) eklemisler. Yakinda 7-STABLE'a MFC olur, takip etmek lazim. This is a forwarded message From: Li, Qing [EMAIL PROTECTED] To: M.S. Motanu [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Wednesday, April 16, 2008, 8:38:37 PM Subject: Multipath routing - failover version ===8==Original message text=== Hi, I recently incorporated multipath support into -CURRENT, for the upcoming 8.0. This patch originated from the KAME project and builds on the existing routing data structures and infrastructure. As a result I did not have to modify the userland programs, however, I think netstat can use some tweaking in its output. I am in the process of incorporating additional functionalities such as allowing for preference setting, and performing active health-check on the gateways and updating the routes accordingly. Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). Hmm... in the current code if_unroute() would remove the interface route when the interface is down. -- Qing ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ===8===End of original message text=== -- Murat, http://www.enderunix.org/murat/---BeginMessage--- Hi, I recently incorporated multipath support into -CURRENT, for the upcoming 8.0. This patch originated from the KAME project and builds on the existing routing data structures and infrastructure. As a result I did not have to modify the userland programs, however, I think netstat can use some tweaking in its output. I am in the process of incorporating additional functionalities such as allowing for preference setting, and performing active health-check on the gateways and updating the routes accordingly. Switching between different paths is done by the kernel based on the link state of the interface associated with the gateway. This way when can achieve a level of redundancy at the link level (this is not a routing protocol!). Hmm... in the current code if_unroute() would remove the interface route when the interface is down. -- Qing ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] ---End Message--- FreeBSD 6 kitabi: http://www.acikakademi.com/catalog/freebsd6 - Listeye soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz. Cikmak icin, e-mail: [EMAIL PROTECTED] Liste arsivi: http://news.gmane.org/gmane.org.user-groups.bsd.turkey