Date: Thu, 25 May 2006 11:50:52 -0300 From: Gilberto Villani Brito <linux@giboia.org> To: gus <gus@clacso.edu.ar>, freebsd-pf@freebsd.org Subject: Re: pf configuration de Argentina Message-ID: <20060525115052.092990aa@giboia> In-Reply-To: <4474CE3D.8050702@clacso.edu.ar> References: <44723D2C.30801@clacso.edu.ar> <200605230224.27758.max@love2party.net> <44735A60.70709@clacso.edu.ar> <20060523162001.58be6ebe@giboia> <4474CE3D.8050702@clacso.edu.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I tested your rules and it worked correctly.
Maybe you need put:
...
block all
pass out on $int_if from any to <lan>
pass in on $int_if <lan> any to any
pass out on $ext_if from any to any
pass in on $ext_if from any to any
pass in on $int_if from $uext1 to any queue uext1_in
...
All in this order.
PS: Let see the champion.
Abra=E7os
Gilberto
On Wed, 24 May 2006 18:21:01 -0300
gus <gus@clacso.edu.ar> wrote:
> Gilberto Villani Brito wrote:
>=20
> >Gus,
> >I already had this doubt.
> >Try use:
> >pass in on $int_if from $uext1 to any queue uext1_in
> >
> >PS: This cup is owned by Brazil.
> >
> Gilberto
>=20
> Sorry for the win of world cup...(Argentina)
>=20
> but now the problem is pf....
> I had change the line but , when triet of connect my machine=20
> 168.96.200.196 ...to 6K....
> These not see these band , and so access to 100 K....
>=20
> Any idea!!!!
>=20
> Abracos
> Gus
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> ext_if=3D"xl0" # replace with actual external interface name i.e., dc0
> int_if=3D"xl1" # replace with actual internal interface name i.e., dc1
> internal_net=3D"168.96.200.0/24"
> #external_addr=3D"168.96.200.1"
>=20
> #Tables: similar to macros, but more flexible for many addresses.
> #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
>=20
> # Options: tune the behavior of pf, default values are given.
> #set timeout { interval 10, frag 30 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set timeout { adaptive.start 0, adaptive.end 0 }
> #set limit { states 10000, frags 5000 }
> #set loginterface none
> #set optimization normal
> #set block-policy drop
> #set require-order yes
> #set fingerprints "/etc/pf.os"
>=20
> # Normalization: reassemble fragments and resolve or reduce traffic=20
> ambiguities.
> #scrub in all
>=20
> # Queueing: rule-based bandwidth control.
> #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> #queue dflt bandwidth 5% cbq(default)
> #queue developers bandwidth 80%
> #queue marketing bandwidth 15%
>=20
> table <lan> { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 }
>=20
> set loginterface $int_if
> set fingerprints "/etc/pf.os"
>=20
> altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in }
> altq on $ext_if bandwidth 600Kb cbq queue { dflt_out }
>=20
> queue dflt_in cbq (default) bandwidth 60%
> queue dflt_out cbq (default)
>=20
> queue uext1_in bandwidth 6Kb
>=20
> uext1=3D"168.96.200.196"
>=20
> nat on $ext_if from <lan> to any -> ($ext_if)
>=20
> pass in on $int_if from $uext1 to any queue uext1_in
>=20
> # Translation: specify how addresses are to be mapped or redirected.
> # nat: packets going out through $ext_if with source address=20
> $internal_net will
> # get translated as coming from the address of $ext_if, a state is=20
> created for
> # such packets, and incoming packets will be redirected to the internal=20
> address.
> #nat on $ext_if from $internal_net to any -> ($ext_if)
>=20
> # rdr: packets coming in on $ext_if with destination $external_addr:1234=
=20
> will
> # be redirected to 10.1.1.1:5678. A state is created for such packets, and
> # outgoing packets will be translated as coming from the external address.
> #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->=20
> 10.1.1.1 port 5678
>=20
> # rdr outgoing FTP requests to the ftp-proxy
> #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>=20
> # spamd-setup puts addresses to be redirected into table <spamd>.
> #table <spamd> persist
> #no rdr on { lo0, lo1 } from any to any
> #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>=20
> # Filtering: the implicit first two rules are
> #pass in all
> #pass out all
>=20
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> #block in log all
> #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
> #pass out on $ext_if proto { tcp, udp } all keep state
>=20
> # pass incoming packets destined to the addresses given in table <foo>.
> #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep sta=
te
>=20
> # pass incoming ports for ftp-proxy
> #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep st=
ate
>=20
> # assign packets to a queue.
> #pass out on $ext_if from 192.168.0.0/24 to any keep state queue develope=
rs
> #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
>=20
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060525115052.092990aa>