Re: [FreeBSD] port bazli routing

2006-11-13 Başlik Veysi Gümüs 



mrb,
 
dediğiniz gibi firewall kurallarını düzenledim.ic 
agdan disaridaki bir mail serverin 25. portuna baglanabiliyorum.bu seferde ic 
agdan firewall makinemin,mail server ikiside ayni makine 25.portuna 
baglanamiyorum ve firewall makinem uzerinden disaridaki bir mailserver a 
baglandigimda log kardan pass out olarak görebiliyorum fakat 
baglanamiyorum.
 
saygilar
 

  - Original Message - 
  From: 
  Huzeyfe 
  Onal 
  To: freebsd@lists.enderunix.org 
  
  Sent: Monday, November 13, 2006 10:40 
  AM
  Subject: Re: [FreeBSD] port bazli 
  routing
  
  Merhabalar,
   
  ***
  pass in log on $int_if route-to \    { ($ext_if 
  $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp 
  from $fwips to any flags S/SA modulate state 
   
  pass in log on $int_if route-to \     { 
  ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    
  proto { udp, icmp } from $fwips to any keep state
   
  pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp 
  from $fwips to any port 25  keep state
   
  
  bu kurallarin bir islevi yok silebilirsiniz. $fwip'lerinden int_if 
  uzerine herhangi bir paket gelmez.
  #Port Bazli Routing kismina "sadece "asagidaki kurallari eklerseniz 
  calisacaktir.
   
  pass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto 
  tcp from $fwips to any port 25  keep state
  pass out  quick on $ext_if2  proto tcp from $fwips to any 
  port 25  keep state
   
  pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp 
  from $lan_net to any port 25  keep state 
   
  loglarda gorunen bloklar pfsync'den kaynaklaniyor . ifconfig 
  pfsync0 down komutu ile pfsync arabirimini 
  kapatabilirsiniz.
   
   
   
   
  On 11/13/06, Veysi 
  Gümüs <[EMAIL PROTECTED]> 
  wrote: 
  

mrb;
 
evet iç ag kullanicilarini ve mail serverimdan 
disari giden smtp isteklerini istedigim interface den gecirmek.

 
 
 

  - Original Message - 
  From: Huzeyfe Onal 
  To: freebsd@lists.enderunix.org 
  Sent: Sunday, November 12, 2006 1:35 
      PM
      Subject: Re: [FreeBSD] port bazli 
  routing
   
  merhaba,
  yapmak istediginiz tam olarak ney? Ic ag kullanicilarinin disaridaki 
  smtp sunucuya baglantilarini mi baska interface uzerinden cikarmaya 
  calisiyorsunuz yoksa mail sunucudan giden istekleri mi yonlendirmek 
  istiyorsunuz? 
   
   
  iyi calismalar... 
  On 11/11/06, Veysi 
  Gümüs <[EMAIL PROTECTED] 
  > wrote: 
  


Mrb,
 
PF port bazinda routing yapmak 
istiyorum.yazmis oldugum kurallarda ise hala default gw den cikmaya 
calisiyor. 25 port giden isteklerimi su interfaceden cikmasini 
istyorum.yazmis oldugum kurallarda nasil bir yanlislik yapmis 
olabilirim. 
 
ikinci bir sorun ise pflog da surekli bir 
blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki 
block satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 
Macros###lan_net 
= "{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  
}"int_if = "bge0"ext_if = "vr0"ext_if2 = "vr1" ext_gw1 = 
"192.168.100.213"ext_gw2 = " 
192.168.110.25"fwips = "{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}"###Tanimlar##table 
 persist file "/usr/local/etc/fw/msn"table  
persist file "/usr/local/etc/fw/kamera" table  persist 
file "/usr/local/etc/fw/ftp"table  persist file 
"/usr/local/etc/fw/sigorta"table  persist file 
"/usr/local/etc/fw/banka"table  persist file 
"/usr/local/etc/fw/fbs" 
 
 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub 
in all 
 
###Nat 
Kurallari##nat 
on $ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from 
$lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any 
to any port 80 -> 10.0.0.2 port 8080
 
###Firewall 
Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out 
quick on lo0 all
 
pass in

Re: [FreeBSD] port bazli routing

2006-11-13 Başlik Veysi Gümüs 




mrb,
 
dediğiniz gibi firewall kurallarını düzenledim.ic 
agdan disaridaki bir mail serverin 25. portuna baglanabiliyorum.bu seferde ic 
agdan firewall makinemin,mail server ikiside ayni makine 25.portuna 
baglanamiyorum ve firewall makinem uzerinden disaridaki bir mailserver a 
baglandigimda log kardan pass out olarak görebiliyorum fakat 
baglanamiyorum.
 
saygilar

  - Original Message - 
  From: 
  Huzeyfe 
  Onal 
  To: freebsd@lists.enderunix.org 
  
  Sent: Monday, November 13, 2006 10:40 
  AM
  Subject: Re: [FreeBSD] port bazli 
  routing
  
  Merhabalar,
   
  ***
  pass in log on $int_if route-to \    { ($ext_if 
  $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp 
  from $fwips to any flags S/SA modulate state 
   
  pass in log on $int_if route-to \     { 
  ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    
  proto { udp, icmp } from $fwips to any keep state
   
  pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp 
  from $fwips to any port 25  keep state
   
  
  bu kurallarin bir islevi yok silebilirsiniz. $fwip'lerinden int_if 
  uzerine herhangi bir paket gelmez.
  #Port Bazli Routing kismina "sadece "asagidaki kurallari eklerseniz 
  calisacaktir.
   
  pass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto 
  tcp from $fwips to any port 25  keep state
  pass out  quick on $ext_if2  proto tcp from $fwips to any 
  port 25  keep state
   
  pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp 
  from $lan_net to any port 25  keep state 
   
  loglarda gorunen bloklar pfsync'den kaynaklaniyor . ifconfig 
  pfsync0 down komutu ile pfsync arabirimini 
  kapatabilirsiniz.
   
   
   
   
  On 11/13/06, Veysi 
  Gümüs <[EMAIL PROTECTED]> 
  wrote: 
  

mrb;
 
evet iç ag kullanicilarini ve mail serverimdan 
disari giden smtp isteklerini istedigim interface den gecirmek.

 
 
 

  - Original Message - 
  From: Huzeyfe Onal 
  To: freebsd@lists.enderunix.org 
  Sent: Sunday, November 12, 2006 1:35 
      PM
      Subject: Re: [FreeBSD] port bazli 
  routing
   
  merhaba,
  yapmak istediginiz tam olarak ney? Ic ag kullanicilarinin disaridaki 
  smtp sunucuya baglantilarini mi baska interface uzerinden cikarmaya 
  calisiyorsunuz yoksa mail sunucudan giden istekleri mi yonlendirmek 
  istiyorsunuz? 
   
   
  iyi calismalar... 
  On 11/11/06, Veysi 
  Gümüs <[EMAIL PROTECTED] 
  > wrote: 
  


Mrb,
 
PF port bazinda routing yapmak 
istiyorum.yazmis oldugum kurallarda ise hala default gw den cikmaya 
calisiyor. 25 port giden isteklerimi su interfaceden cikmasini 
istyorum.yazmis oldugum kurallarda nasil bir yanlislik yapmis 
olabilirim. 
 
ikinci bir sorun ise pflog da surekli bir 
blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki 
block satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 
Macros###lan_net 
= "{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  
}"int_if = "bge0"ext_if = "vr0"ext_if2 = "vr1" ext_gw1 = 
"192.168.100.213"ext_gw2 = " 
192.168.110.25"fwips = "{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}"###Tanimlar##table 
 persist file "/usr/local/etc/fw/msn"table  
persist file "/usr/local/etc/fw/kamera" table  persist 
file "/usr/local/etc/fw/ftp"table  persist file 
"/usr/local/etc/fw/sigorta"table  persist file 
"/usr/local/etc/fw/banka"table  persist file 
"/usr/local/etc/fw/fbs" 
 
 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub 
in all 
 
###Nat 
Kurallari##nat 
on $ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from 
$lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any 
to any port 80 -> 10.0.0.2 port 8080
 
###Firewall 
Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out 
quick on lo0 all
 
pass in log on $int_if route-to

Re: [FreeBSD] port bazli routing

2006-11-13 Başlik Huzeyfe Onal 
Merhabalar,
 
***
pass in log on $int_if route-to \    { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp from $fwips to any flags S/SA modulate state 
 
pass in log on $int_if route-to \     { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto { udp, icmp } from $fwips to any keep state
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state
 

bu kurallarin bir islevi yok silebilirsiniz. $fwip'lerinden int_if uzerine herhangi bir paket gelmez.
#Port Bazli Routing kismina "sadece "asagidaki kurallari eklerseniz calisacaktir.
 
pass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state
pass out  quick on $ext_if2  proto tcp from $fwips to any port 25  keep state
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from $lan_net to any port 25  keep state 
 
loglarda gorunen bloklar pfsync'den kaynaklaniyor . ifconfig pfsync0 down komutu ile pfsync arabirimini kapatabilirsiniz.
 
 
 
 
On 11/13/06, Veysi Gümüs <[EMAIL PROTECTED]> wrote:


mrb;
 
evet iç ag kullanicilarini ve mail serverimdan disari giden smtp isteklerini istedigim interface den gecirmek.

 
 
 

- Original Message - 
From: Huzeyfe Onal
 
To: freebsd@lists.enderunix.org
 
Sent: Sunday, November 12, 2006 1:35 PM
Subject: Re: [FreeBSD] port bazli routing
 
merhaba,
yapmak istediginiz tam olarak ney? Ic ag kullanicilarinin disaridaki smtp sunucuya baglantilarini mi baska interface uzerinden cikarmaya calisiyorsunuz yoksa mail sunucudan giden istekleri mi yonlendirmek istiyorsunuz? 

 
 
iyi calismalar... 
On 11/11/06, Veysi Gümüs <[EMAIL PROTECTED]
> wrote: 



Mrb,
 
PF port bazinda routing yapmak istiyorum.yazmis oldugum kurallarda ise hala default gw den cikmaya calisiyor. 25 port giden isteklerimi su interfaceden cikmasini istyorum.yazmis oldugum kurallarda nasil bir yanlislik yapmis olabilirim. 

 
ikinci bir sorun ise pflog da surekli bir blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki block satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 Macros###lan_net = "{ 
10.0.0.0/24, 10.0.2.0/24, 
10.0.3.0/24, 10.0.4.0/24  }"int_if = "bge0"ext_if = "vr0"ext_if2 = "vr1" 
ext_gw1 = "192.168.100.213"ext_gw2 = "
 192.168.110.25"fwips = "{127.0.0.1, 
10.0.0.2, 192.168.100.212, 
192.168.110.26}"###Tanimlar##table  persist file "/usr/local/etc/fw/msn"table  persist file "/usr/local/etc/fw/kamera" 
table  persist file "/usr/local/etc/fw/ftp"table  persist file "/usr/local/etc/fw/sigorta"table  persist file "/usr/local/etc/fw/banka"table  persist file "/usr/local/etc/fw/fbs" 

 
 Set Optimizations###set limit { frags 3, states 25000 }set loginterface $ext_ifscrub in all 

 
###Nat Kurallari##nat on $ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from $lan_net to any -> ($ext_if2) 
rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port 8080
 
###Firewall Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out quick on lo0 all
 
pass in log on $int_if route-to \    { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp from $fwips to any flags S/SA modulate state
 
pass in log on $int_if route-to \    { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto { udp, icmp } from $fwips to any keep state
 

###Port Bazli Routing##
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep statepass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state 
 
###1.Adsl Uzerinden Gelisler##pass in quick log on $ext_if proto tcp from any to any port = 22 flags S/SA
pass out quick on $ext_if proto { tcp, udp, icmp } from $ext_if  to any keep statepass out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if to any keep state
 
###2.Adsl Uzerinden Gelisler##pass in quick log on $ext_if2 proto tcp from any to any port {25,80,110} flags

Re: [FreeBSD] port bazli routing

2006-11-12 Başlik Veysi Gümüs 



mrb;
 
evet iç ag kullanicilarini ve mail serverimdan 
disari giden smtp isteklerini istedigim interface den gecirmek.
 
 
 

  - Original Message - 
  From: 
  Huzeyfe 
  Onal 
  To: freebsd@lists.enderunix.org 
  
  Sent: Sunday, November 12, 2006 1:35 
  PM
  Subject: Re: [FreeBSD] port bazli 
  routing
  
  merhaba,
  yapmak istediginiz tam olarak ney? Ic ag kullanicilarinin disaridaki smtp 
  sunucuya baglantilarini mi baska interface uzerinden cikarmaya calisiyorsunuz 
  yoksa mail sunucudan giden istekleri mi yonlendirmek istiyorsunuz? 
   
   
  iyi calismalar... 
  On 11/11/06, Veysi 
  Gümüs <[EMAIL PROTECTED]> 
  wrote: 
  


Mrb,
 
PF port bazinda routing yapmak istiyorum.yazmis 
oldugum kurallarda ise hala default gw den cikmaya calisiyor. 25 port giden 
isteklerimi su interfaceden cikmasini istyorum.yazmis oldugum kurallarda 
nasil bir yanlislik yapmis olabilirim. 
 
ikinci bir sorun ise pflog da surekli bir 
blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki 
block satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 
Macros###lan_net = 
"{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  }"int_if = 
"bge0"ext_if = "vr0"ext_if2 = "vr1" ext_gw1 = "192.168.100.213"ext_gw2 
= " 192.168.110.25"fwips = 
"{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}"###Tanimlar##table 
 persist file "/usr/local/etc/fw/msn"table  
persist file "/usr/local/etc/fw/kamera" table  persist file 
"/usr/local/etc/fw/ftp"table  persist file 
"/usr/local/etc/fw/sigorta"table  persist file 
"/usr/local/etc/fw/banka"table  persist file 
"/usr/local/etc/fw/fbs" 
 
 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub in 
all 
 
###Nat 
Kurallari##nat on 
$ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from 
$lan_net to any -> ($ext_if2) rdr on $int_if proto tcp from any to 
any port 80 -> 10.0.0.2 port 8080
 
###Firewall 
Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out quick 
on lo0 all
 
pass in log on $int_if route-to \    { ($ext_if 
$ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto 
tcp from $fwips to any flags S/SA modulate state
 
pass in log on $int_if route-to \    { ($ext_if 
$ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto { 
udp, icmp } from $fwips to any keep state
 

###Port Bazli 
Routing##
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto 
tcp from $fwips to any port 25  keep statepass out  quick on 
$ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 
25  keep state  
###1.Adsl Uzerinden 
Gelisler##pass in 
quick log on $ext_if proto tcp from any to any port = 22 flags S/SApass 
out quick on $ext_if proto { tcp, udp, icmp } from $ext_if  to any keep 
statepass out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if 
to any keep state
 
###2.Adsl Uzerinden 
Gelisler##pass in 
quick log on $ext_if2 proto tcp from any to any port {25,80,110} flags S/SA 
pass out quick on $ext_if2 proto { tcp, udp, icmp } from $ext_if2  
to any keep statepass out on $ext_if  route-to ($ext_if2 $ext_gw2) 
from $ext_if2 to any keep 
state## #Localden 
Firewall 
Gelisler##pass in 
quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 
8080, 3128, 12200 } flags S/SA keep statepass in quick log on $int_if 
proto tcp from  to any port = 1863 flags S/SA keep state pass 
in quick log on $int_if proto tcp from  to any port = 18082 
flags S/SA keep statepass in quick log on $int_if proto tcp from 
 to any port = 12173 flags S/SA keep statepass in quick 
log on $int_if proto tcp from  to any port = 44

Re: [FreeBSD] port bazli routing

2006-11-12 Başlik Huzeyfe Onal 
merhaba,
yapmak istediginiz tam olarak ney? Ic ag kullanicilarinin disaridaki smtp sunucuya baglantilarini mi baska interface uzerinden cikarmaya calisiyorsunuz yoksa mail sunucudan giden istekleri mi yonlendirmek istiyorsunuz?

 
 
iyi calismalar... 
On 11/11/06, Veysi Gümüs <[EMAIL PROTECTED]> wrote:



Mrb,
 
PF port bazinda routing yapmak istiyorum.yazmis oldugum kurallarda ise hala default gw den cikmaya calisiyor. 25 port giden isteklerimi su interfaceden cikmasini istyorum.yazmis oldugum kurallarda nasil bir yanlislik yapmis olabilirim.

 
ikinci bir sorun ise pflog da surekli bir blocklama var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki block satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 Macros###lan_net = "{ 
10.0.0.0/24, 10.0.2.0/24, 
10.0.3.0/24, 10.0.4.0/24  }"int_if = "bge0"ext_if = "vr0"ext_if2 = "vr1"
ext_gw1 = "192.168.100.213"ext_gw2 = "
192.168.110.25"fwips = "{127.0.0.1, 
10.0.0.2, 192.168.100.212, 
192.168.110.26}"###Tanimlar##table  persist file "/usr/local/etc/fw/msn"table  persist file "/usr/local/etc/fw/kamera"
table  persist file "/usr/local/etc/fw/ftp"table  persist file "/usr/local/etc/fw/sigorta"table  persist file "/usr/local/etc/fw/banka"table  persist file "/usr/local/etc/fw/fbs"

 
 Set Optimizations###set limit { frags 3, states 25000 }set loginterface $ext_ifscrub in all

 
###Nat Kurallari##nat on $ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from $lan_net to any -> ($ext_if2)
rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port 8080
 
###Firewall Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out quick on lo0 all
 
pass in log on $int_if route-to \    { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp from $fwips to any flags S/SA modulate state
 
pass in log on $int_if route-to \    { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto { udp, icmp } from $fwips to any keep state
 

###Port Bazli Routing##
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep statepass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 25  keep state
 
###1.Adsl Uzerinden Gelisler##pass in quick log on $ext_if proto tcp from any to any port = 22 flags S/SA
pass out quick on $ext_if proto { tcp, udp, icmp } from $ext_if  to any keep statepass out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if to any keep state
 
###2.Adsl Uzerinden Gelisler##pass in quick log on $ext_if2 proto tcp from any to any port {25,80,110} flags S/SA
pass out quick on $ext_if2 proto { tcp, udp, icmp } from $ext_if2  to any keep statepass out on $ext_if  route-to ($ext_if2 $ext_gw2) from $ext_if2 to any keep state##
#Localden Firewall Gelisler##pass in quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 8080, 3128, 12200 } flags S/SA keep statepass in quick log on $int_if proto tcp from  to any port = 1863 flags S/SA keep state
pass in quick log on $int_if proto tcp from  to any port = 18082 flags S/SA keep statepass in quick log on $int_if proto tcp from  to any port = 12173 flags S/SA keep statepass in quick log on $int_if proto tcp from  to any port = 443 flags S/SA keep state

pass in quick log on $int_if proto tcp from  to any port = 33000 flags S/SA keep statepass in quick log on $int_if proto tcp from  to any port = 21 flags S/SA keep statepass in quick on $int_if proto { udp, icmp } from $lan_net  to any keep state
 
###Firewalldan Gidisler##pass out quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 8080, 12200 } flags S/SA keep state
pass out quick log on $ext_if2 proto tcp from any to any port { 22, 25, 80, 110, 8080, 12200 } flags S/SA keep statepass out quick on $int_if proto { udp, icmp } from $lan_net  to any keep state**

log dosyasındaki blocklamalar sürekli tekrarliyor.
 
tcpdump -eni pflog

[FreeBSD] port bazli routing

2006-11-11 Başlik Veysi Gümüs 




Mrb,
 
PF port bazinda routing yapmak istiyorum.yazmis 
oldugum kurallarda ise hala default gw den cikmaya calisiyor. 25 port giden 
isteklerimi su interfaceden cikmasini istyorum.yazmis oldugum kurallarda nasil 
bir yanlislik yapmis olabilirim.
 
ikinci bir sorun ise pflog da surekli bir blocklama 
var neyi blocklamaya calistigini bulamadim.kurallar ve logtaki block 
satirlarini asagi satirlarda yazdim
 
Saygilar
Veysi GUMUS
 
 
Macros###lan_net = "{ 
10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  }"int_if = 
"bge0"ext_if = "vr0"ext_if2 = "vr1"ext_gw1 = 
"192.168.100.213"ext_gw2 = "192.168.110.25"fwips = "{127.0.0.1, 
10.0.0.2, 192.168.100.212, 
192.168.110.26}"###Tanimlar##table 
 persist file "/usr/local/etc/fw/msn"table  persist 
file "/usr/local/etc/fw/kamera"table  persist file 
"/usr/local/etc/fw/ftp"table  persist file 
"/usr/local/etc/fw/sigorta"table  persist file 
"/usr/local/etc/fw/banka"table  persist file 
"/usr/local/etc/fw/fbs"
 
 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub in 
all
 
###Nat 
Kurallari##nat on 
$ext_if from $lan_net to any -> ($ext_if)nat on $ext_if2 from $lan_net to 
any -> ($ext_if2)rdr on $int_if proto tcp from any to any port 80 -> 
10.0.0.2 port 8080
 
###Firewall 
Kurallari##
block in log all
block out log allpass in  quick on lo0 allpass out quick on 
lo0 all
 
pass in log on $int_if route-to \    { ($ext_if 
$ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto tcp 
from $fwips to any flags S/SA modulate state
 
pass in log on $int_if route-to \    { ($ext_if 
$ext_gw1), ($ext_if2 $ext_gw2) } round-robin \    proto { 
udp, icmp } from $fwips to any keep state
 

###Port Bazli 
Routing##
 
pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp 
from $fwips to any port 25  keep statepass out  quick on 
$ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from $fwips to any port 
25  keep state
###1.Adsl Uzerinden 
Gelisler##pass in quick 
log on $ext_if proto tcp from any to any port = 22 flags S/SApass out quick 
on $ext_if proto { tcp, udp, icmp } from $ext_if  to any keep statepass 
out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if to any keep 
state
 
###2.Adsl Uzerinden 
Gelisler##pass in quick 
log on $ext_if2 proto tcp from any to any port {25,80,110} flags S/SApass 
out quick on $ext_if2 proto { tcp, udp, icmp } from $ext_if2  to any keep 
statepass out on $ext_if  route-to ($ext_if2 $ext_gw2) from $ext_if2 to 
any keep 
state###Localden 
Firewall Gelisler##pass 
in quick log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 
8080, 3128, 12200 } flags S/SA keep statepass in quick log on $int_if proto 
tcp from  to any port = 1863 flags S/SA keep statepass in quick 
log on $int_if proto tcp from  to any port = 18082 flags S/SA keep 
statepass in quick log on $int_if proto tcp from  to any port 
= 12173 flags S/SA keep statepass in quick log on $int_if proto tcp from 
 to any port = 443 flags S/SA keep state
pass in quick log on $int_if proto tcp from  to any port = 33000 
flags S/SA keep statepass in quick log on $int_if proto tcp from  
to any port = 21 flags S/SA keep statepass in quick on $int_if proto { udp, 
icmp } from $lan_net  to any keep state
###Firewalldan 
Gidisler##pass out quick 
log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110, 8080, 
12200 } flags S/SA keep statepass out quick log on $ext_if2 proto tcp from 
any to any port { 22, 25, 80, 110, 8080, 12200 } flags S/SA keep statepass 
out quick on $int_if proto { udp, icmp } from $lan_net  to any keep 
state**
log dosyasındaki blocklamalar sürekli tekrarliyor.
 
tcpdump 
-eni pflog0 
 
10:17:41.415182 rule 5/0(match): block out on vr0: 192.168.100.212 > 
0.0.0.0:  pfsync 45210:17:41.415190 rule 5/0(match): block out on vr0: 
192.168.100.212 > 0.0.0.0:  pfsync 22810:17:41.425677 rule 
36/0(match): pass in on bge0: 10.0.0.21.3405 > 10.0.0.2