From owner-freebsd-pf@FreeBSD.ORG Wed May 24 21:14:15 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 239C216AC66 for ; Wed, 24 May 2006 21:14:15 +0000 (UTC) (envelope-from gus@clacso.edu.ar) Received: from piluso.clacso.edu.ar (piluso.clacso.edu.ar [168.96.200.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA8D343D78 for ; Wed, 24 May 2006 21:14:10 +0000 (GMT) (envelope-from gus@clacso.edu.ar) Received: from panda.clacso.edu.ar ([168.96.200.196] helo=clacso.edu.ar) by piluso.clacso.edu.ar with esmtp (Exim 4.50) id 1Fj0hv-0002Dn-Ko; Wed, 24 May 2006 18:15:55 -0300 Message-ID: <4474CE3D.8050702@clacso.edu.ar> Date: Wed, 24 May 2006 18:21:01 -0300 From: gus User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gilberto Villani Brito , freebsd-pf@freebsd.org References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> <44735A60.70709@clacso.edu.ar> <20060523162001.58be6ebe@giboia> In-Reply-To: <20060523162001.58be6ebe@giboia> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf configuration de Argentina X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 21:14:23 -0000 Gilberto Villani Brito wrote: >Gus, >I already had this doubt. >Try use: >pass in on $int_if from $uext1 to any queue uext1_in > >PS: This cup is owned by Brazil. > Gilberto Sorry for the win of world cup...(Argentina) but now the problem is pf.... I had change the line but , when triet of connect my machine 168.96.200.196 ...to 6K.... These not see these band , and so access to 100 K.... Any idea!!!! Abracos Gus ======================================= ext_if="xl0" # replace with actual external interface name i.e., dc0 int_if="xl1" # replace with actual internal interface name i.e., dc1 internal_net="168.96.200.0/24" #external_addr="168.96.200.1" #Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% table { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 } set loginterface $int_if set fingerprints "/etc/pf.os" altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in } altq on $ext_if bandwidth 600Kb cbq queue { dflt_out } queue dflt_in cbq (default) bandwidth 60% queue dflt_out cbq (default) queue uext1_in bandwidth 6Kb uext1="168.96.200.196" nat on $ext_if from to any -> ($ext_if) pass in on $int_if from $uext1 to any queue uext1_in # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing