pf configuration de Argentina

Gilberto Villani Brito linux at giboia.org
Thu May 25 07:46:59 PDT 2006 

Hi,
I tested your rules and it worked correctly.
Maybe you need put:
...
 block all
 pass out on $int_if from any to <lan>
 pass in on $int_if <lan> any to any
 pass out on $ext_if from any to any
 pass in on $ext_if from any to any
 pass in on $int_if from $uext1 to any queue uext1_in
...
All in this order.

PS: Let see the champion.

Abraços
Gilberto


On Wed, 24 May 2006 18:21:01 -0300
gus <gus at clacso.edu.ar> wrote:

> Gilberto Villani Brito wrote:
> 
> >Gus,
> >I already had this doubt.
> >Try use:
> >pass in on $int_if from $uext1 to any queue uext1_in
> >
> >PS: This cup is owned by Brazil.
> >
> Gilberto
> 
> Sorry for the win of world cup...(Argentina)
> 
> but now the problem is  pf....
> I had change the line but , when triet of connect my machine 
> 168.96.200.196 ...to 6K....
> These not see these band , and so access to 100 K....
> 
> Any idea!!!!
> 
> Abracos
> Gus
> 
> =======================================
> 
> ext_if="xl0"    # replace with actual external interface name i.e., dc0
> int_if="xl1"    # replace with actual internal interface name i.e., dc1
> internal_net="168.96.200.0/24"
> #external_addr="168.96.200.1"
> 
> #Tables: similar to macros, but more flexible for many addresses.
> #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
> 
> # Options: tune the behavior of pf, default values are given.
> #set timeout { interval 10, frag 30 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set timeout { adaptive.start 0, adaptive.end 0 }
> #set limit { states 10000, frags 5000 }
> #set loginterface none
> #set optimization normal
> #set block-policy drop
> #set require-order yes
> #set fingerprints "/etc/pf.os"
> 
> # Normalization: reassemble fragments and resolve or reduce traffic 
> ambiguities.
> #scrub in all
> 
> # Queueing: rule-based bandwidth control.
> #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> #queue dflt bandwidth 5% cbq(default)
> #queue developers bandwidth 80%
> #queue marketing  bandwidth 15%
> 
> table <lan> { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 }
> 
> set loginterface $int_if
> set fingerprints "/etc/pf.os"
> 
> altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in }
> altq on $ext_if bandwidth 600Kb cbq queue { dflt_out }
> 
> queue dflt_in cbq (default) bandwidth 60%
> queue dflt_out cbq (default)
> 
> queue uext1_in bandwidth 6Kb
> 
> uext1="168.96.200.196"
> 
> nat on $ext_if from <lan> to any -> ($ext_if)
> 
> pass in on $int_if from $uext1 to any queue uext1_in
> 
> # Translation: specify how addresses are to be mapped or redirected.
> # nat: packets going out through $ext_if with source address 
> $internal_net will
> # get translated as coming from the address of $ext_if, a state is 
> created for
> # such packets, and incoming packets will be redirected to the internal 
> address.
> #nat on $ext_if from $internal_net to any -> ($ext_if)
> 
> # rdr: packets coming in on $ext_if with destination $external_addr:1234 
> will
> # be redirected to 10.1.1.1:5678. A state is created for such packets, and
> # outgoing packets will be translated as coming from the external address.
> #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 
> 10.1.1.1 port 5678
> 
> # rdr outgoing FTP requests to the ftp-proxy
> #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> 
> # spamd-setup puts addresses to be redirected into table <spamd>.
> #table <spamd> persist
> #no rdr on { lo0, lo1 } from any to any
> #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
> 
> # Filtering: the implicit first two rules are
> #pass in all
> #pass out all
> 
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> #block in log all
> #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
> #pass  out on $ext_if proto { tcp, udp } all keep state
> 
> # pass incoming packets destined to the addresses given in table <foo>.
> #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
> 
> # pass incoming ports for ftp-proxy
> #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
> 
> # assign packets to a queue.
> #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
> #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
> 
>

More information about the freebsd-pf mailing list