pf configuration de Argentina

Gilberto Villani Brito linux at giboia.org
Tue May 23 19:16:18 UTC 2006 

Gus,
I already had this doubt.
Try use:
pass in on $int_if from $uext1 to any queue uext1_in

PS: This cup is owned by Brazil.

Gilberto




On Tue, 23 May 2006 15:54:24 -0300
gus <gus at clacso.edu.ar> wrote:

> Max Laier wrote:
> 
> >This list is English only, thanks.
> >
> >  
> >
> ok , sorry for the language!!
> 
> ==============================================================
> 
>  
> I have one server freebsd with IP address  168.96.200.114 and  
> 168.96.200.113 for two network card 3com.
> One card has IP 114  (xl1) and the other 113 extern (xl0) .
> I had probe with one machine  IP  168.96.200.196 and I would like that 
> that machines use a little band anchor for example 6K.
> 
> We have a gateway (not Freebsd ) IP 168.96.200.1 and so the machine .196 
> has the gateway 114.
> 
> 
> I don't have lucky
> The following is the file pf.conf
> 
> 
> 
> Anyone can help me!!!
> regards
> Gus.
> 
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Required order: options, normalization, queueing, translation, filtering.
> # Macros and tables may be defined and used anywhere.
> # Note that translation rules are first match while filter rules are 
> last match.
> 
> # Macros: define common values, so they can be referenced and changed 
> easily.
> ext_if="xl0"    # replace with actual external interface name i.e., dc0
> int_if="xl1"    # replace with actual internal interface name i.e., dc1
> internal_net="168.96.200.0/24"
> external_addr="168.96.200.1"
> 
> # Tables: similar to macros, but more flexible for many addresses.
> #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
> 
> # Options: tune the behavior of pf, default values are given.
> #set timeout { interval 10, frag 30 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set timeout { adaptive.start 0, adaptive.end 0 }
> #set limit { states 10000, frags 5000 }
> #set loginterface none
> #set optimization normal
> #set block-policy drop
> #set require-order yes
> set fingerprints "/etc/pf.os"
> 
> # Normalization: reassemble fragments and resolve or reduce traffic 
> ambiguities.
> #scrub in all
> 
> # Queueing: rule-based bandwidth control.
> #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> #queue dflt bandwidth 5% cbq(default)
> #queue developers bandwidth 80%
> #queue marketing  bandwidth 15%
> 
> table <interna> {168.96.200.24, 168.96.200.82, 168.96.200.196}
> 
> set loginterface $int_if
> set fingerprints "/etc/pf.os"
> 
> altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in}
> altq on $ext_if bandwidth 600Kb cbq queue {dflt_out}
> 
> queue dflt_in cbq (default) bandwidth 60%
> queue dflt_out cbq (default)
> 
> queue uext1_in bandwidth 6Kb
> 
> uext1="168.96.200.196"
> 
> nat on $ext_if from <interna> to any -> ($ext_if)
> 
> pass out on $int_if from any to $uext1 queue uext1_in
> 
> # Translation: specify how addresses are to be mapped or redirected.
> # nat: packets going out through $ext_if with source address 
> $internal_net will
> # get translated as coming from the address of $ext_if, a state is 
> created for
> # such packets, and incoming packets will be redirected to the internal 
> address.
> #nat on $ext_if from $internal_net to any -> ($ext_if)
> 
> # rdr: packets coming in on $ext_if with destination $external_addr:1234 
> will
> # be redirected to 10.1.1.1:5678. A state is created for such packets, and
> # outgoing packets will be translated as coming from the external address.
> #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 
> 10.1.1.1 port 5678
> 
> # rdr outgoing FTP requests to the ftp-proxy
> #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> 
> # spamd-setup puts addresses to be redirected into table <spamd>.
> #table <spamd> persist
> #no rdr on { lo0, lo1 } from any to any
> #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
> 
> # Filtering: the implicit first two rules are
> #pass in all
> #pass out all
> 
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> #block in log all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> #pass  out on $ext_if proto { tcp, udp } all keep state
> 
> # pass incoming packets destined to the addresses given in table <foo>.
> #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
> 
> # pass incoming ports for ftp-proxy
> #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep 
> state
> 
> # assign packets to a queue.
> #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
> #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
> 
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list