From owner-freebsd-pf@FreeBSD.ORG Mon May 22 22:30:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53E1316ABB9 for ; Mon, 22 May 2006 22:30:41 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDD8843D58 for ; Mon, 22 May 2006 22:30:40 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1FiIwu-0004Gm-3E for freebsd-pf@freebsd.org; Mon, 22 May 2006 19:32:28 -0300 Message-ID: <44723D2C.30801@clacso.edu.ar> Date: Mon, 22 May 2006 19:37:32 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 22:30:41 -0000 Hello Si alguien me puede ayudar En realidad te cuento los primeros pasos, supuestamente lo hacemos con un sola maquina contra el servidor freebsd. El servidor tiene como direccion IP al numero 168.96.200.114 y la 168.96.200.113 correspondientes a dos tarjetas de red 3com. Una tarjeta correspondiente a la 114 es la interna (xl1) y la 113 es la externa (xl0) Nuestra primera prueba es contra una maquina cuya IP es la 168.96.200.196 y a la misma deseamos que solo tenga un ancho de banda limitado a saber 6K. El gateway que trabajamos sin Freebsd es el correspondiente a 168.96.200.1 , en este caso la maquina .196 le fue asignado el 114 como gateway.. Hemos probado y no hemos tenido suerte Lo siguiente es lo que alteramos del archivo pf.conf. # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" external_addr="168.96.200.1" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% table {168.96.200.24, 168.96.200.82, 168.96.200.196} set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue {dflt_in, uext1_in} altq on $ext_if bandwidth 600Kb cbq queue {dflt_out} queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass out on $int_if from any to $uext1 queue uext1_in # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing