pf configuration de Argentina
Gilberto Villani Brito
linux at giboia.org
Tue May 23 19:16:18 UTC 2006
Gus,
I already had this doubt.
Try use:
pass in on $int_if from $uext1 to any queue uext1_in
PS: This cup is owned by Brazil.
Gilberto
On Tue, 23 May 2006 15:54:24 -0300
gus <gus at clacso.edu.ar> wrote:
> Max Laier wrote:
>
> >This list is English only, thanks.
> >
> >
> >
> ok , sorry for the language!!
>
> ==============================================================
>
>
> I have one server freebsd with IP address 168.96.200.114 and
> 168.96.200.113 for two network card 3com.
> One card has IP 114 (xl1) and the other 113 extern (xl0) .
> I had probe with one machine IP 168.96.200.196 and I would like that
> that machines use a little band anchor for example 6K.
>
> We have a gateway (not Freebsd ) IP 168.96.200.1 and so the machine .196
> has the gateway 114.
>
>
> I don't have lucky
> The following is the file pf.conf
>
>
>
> Anyone can help me!!!
> regards
> Gus.
>
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Required order: options, normalization, queueing, translation, filtering.
> # Macros and tables may be defined and used anywhere.
> # Note that translation rules are first match while filter rules are
> last match.
>
> # Macros: define common values, so they can be referenced and changed
> easily.
> ext_if="xl0" # replace with actual external interface name i.e., dc0
> int_if="xl1" # replace with actual internal interface name i.e., dc1
> internal_net="168.96.200.0/24"
> external_addr="168.96.200.1"
>
> # Tables: similar to macros, but more flexible for many addresses.
> #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
>
> # Options: tune the behavior of pf, default values are given.
> #set timeout { interval 10, frag 30 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set timeout { adaptive.start 0, adaptive.end 0 }
> #set limit { states 10000, frags 5000 }
> #set loginterface none
> #set optimization normal
> #set block-policy drop
> #set require-order yes
> set fingerprints "/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> #scrub in all
>
> # Queueing: rule-based bandwidth control.
> #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> #queue dflt bandwidth 5% cbq(default)
> #queue developers bandwidth 80%
> #queue marketing bandwidth 15%
>
> table <interna> {168.96.200.24, 168.96.200.82, 168.96.200.196}
>
> set loginterface $int_if
> set fingerprints "/etc/pf.os"
>
> altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in}
> altq on $ext_if bandwidth 600Kb cbq queue {dflt_out}
>
> queue dflt_in cbq (default) bandwidth 60%
> queue dflt_out cbq (default)
>
> queue uext1_in bandwidth 6Kb
>
> uext1="168.96.200.196"
>
> nat on $ext_if from <interna> to any -> ($ext_if)
>
> pass out on $int_if from any to $uext1 queue uext1_in
>
> # Translation: specify how addresses are to be mapped or redirected.
> # nat: packets going out through $ext_if with source address
> $internal_net will
> # get translated as coming from the address of $ext_if, a state is
> created for
> # such packets, and incoming packets will be redirected to the internal
> address.
> #nat on $ext_if from $internal_net to any -> ($ext_if)
>
> # rdr: packets coming in on $ext_if with destination $external_addr:1234
> will
> # be redirected to 10.1.1.1:5678. A state is created for such packets, and
> # outgoing packets will be translated as coming from the external address.
> #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
> 10.1.1.1 port 5678
>
> # rdr outgoing FTP requests to the ftp-proxy
> #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
> # spamd-setup puts addresses to be redirected into table <spamd>.
> #table <spamd> persist
> #no rdr on { lo0, lo1 } from any to any
> #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>
> # Filtering: the implicit first two rules are
> #pass in all
> #pass out all
>
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> #block in log all
> #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
> #pass out on $ext_if proto { tcp, udp } all keep state
>
> # pass incoming packets destined to the addresses given in table <foo>.
> #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
>
> # pass incoming ports for ftp-proxy
> #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep
> state
>
> # assign packets to a queue.
> #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
> #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list