pf configuration de Argentina

gus gus at clacso.edu.ar
Mon May 22 22:30:41 UTC 2006 

Hello

Si alguien me  puede ayudar
En realidad te cuento los primeros pasos, supuestamente lo hacemos con 
un sola maquina contra el servidor freebsd.
El servidor tiene como direccion IP al numero 168.96.200.114 y la 
168.96.200.113 correspondientes a dos tarjetas de red 3com.
Una tarjeta correspondiente a la 114 es la interna (xl1) y la 113 es la 
externa (xl0)
Nuestra primera prueba es contra una maquina cuya IP es la 
168.96.200.196 y a la misma deseamos que solo tenga un ancho de banda 
limitado a saber 6K.
El gateway que trabajamos sin Freebsd es el correspondiente a 
168.96.200.1 , en este caso la maquina .196 le fue asignado el 114 como 
gateway..
Hemos probado y no hemos tenido suerte
Lo siguiente es lo que alteramos del archivo pf.conf.

# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are 
last match.

# Macros: define common values, so they can be referenced and changed 
easily.
ext_if="xl0"    # replace with actual external interface name i.e., dc0
int_if="xl1"    # replace with actual internal interface name i.e., dc1
internal_net="168.96.200.0/24"
external_addr="168.96.200.1"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

table <interna> {168.96.200.24, 168.96.200.82, 168.96.200.196}

set loginterface $int_if
set fingerprints "/etc/pf.os"

altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in}
altq on $ext_if bandwidth 600Kb cbq queue {dflt_out}

queue dflt_in cbq (default) bandwidth 60%
queue dflt_out cbq (default)

queue uext1_in bandwidth 6Kb

uext1="168.96.200.196"

nat on $ext_if from <interna> to any -> ($ext_if)

pass out on $int_if from any to $uext1 queue uext1_in

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address 
$internal_net will
# get translated as coming from the address of $ext_if, a state is 
created for
# such packets, and incoming packets will be redirected to the internal 
address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 
will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 
10.1.1.1 port 5678

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass  out on $ext_if proto { tcp, udp } all keep state

# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state

# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep 
state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

More information about the freebsd-pf mailing list