Caro Marcos;
Se você consegue fazer as regras carregarem logo após o boot, o
problema não esta no arquivo de regras, e sim no de inicialização.
Duas perguntas básicas:
1 - Setou a flag de regras no rc.conf?
pf_rules="/etc/pf.conf"
2 - Seu link é autenticado via ppp ?
On 7/26/07, Marcos Vinicius Buzo <[EMAIL PROTECTED]> wrote:
> Boa tarde pessoal, td blz ?
> Estou com um problema com o pf, com certeza fiz algo de errado, mas
> não consigo encontrar meu erro. As regras do pf não estão carregando
> no boot, só carregam se eu der um pfctl -f /etc/pf.conf ou
> /etc/rc.d/pf start
>
> Aqui estão minhas linhas do arquivo /etc/rc.conf referentes ao pf:
> pf_enable="YES" # Enable PF (load module if required)
> pf_rules="/etc/pf.conf" # rules definition file for pf
> pf_flags="" # additional flags for pfctl startup
> pflog_enable="YES" # start pflogd(8)
> pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
> pflog_flags="" # additional flags for pflogd startup
>
> Aqui está meu pf.conf:
>
> ############## MACROS ############################
> ##################################################
>
> #Interface WAN
> ext_if = "rl0"
> ext_ip = "200.xxx.xxx.106"
>
> #Interface LAN
> int_if = "sk0"
> int_ip = "10.xxx.xxx.31"
> int_net = "10.xxx.xxx.0/24"
>
> #Interface LAN - VOIP
> voip_if = "rl1"
> voip_ip = "192.xxx.xxx.254"
> voip_net = "192.xxx.xxx.0/24"
>
> #Computadores da Rede
> dataserver_ip = "10.xxx.xxx.100"
> ata_ip = "192.xxx.xxx.2"
>
> #Ips
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>
> #Portas
> ssh_intport = "2222"
> ssh_extport = "110"
> ##################################################
>
> set loginterface $ext_if
>
> ############## NORMALIZACAO DE PACOTES ###########
> ##################################################
>
> scrub in all
>
> ##################################################
>
> ############## ALTQ #############################
> #################################################
> altq on $ext_if hfsc bandwidth 100% queue ext_up
> queue ext_up bandwidth 300Kb {out_voip, out_ssh, out_email, out_others}
> queue out_voip bandwidth 50% hfsc(realtime 128Kb)
> queue out_ssh bandwidth 15% hfsc(realtime 32Kb)
> queue out_email bandwidth 10% hfsc(upperlimit 128Kb)
> queue out_others bandwidth 25% hfsc(default)
>
> ############## NAT ###########################
> ##############################################
>
> #NAT - LAN -> WAN
> nat on $ext_if from $int_net to any -> ($ext_if)
>
> #NAT - LAN -> VOIP
> nat on $ext_if from $voip_net to any -> ($ext_if)
>
> ##############################################
>
> ############ RDR #############################
> ##############################################
>
> #RDR - FTP Rede Interna -> FTP-proxy
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $int_if proto tcp from any to any port 778 -> 127.0.0.1 port 8021
>
> #RDR - FTP p/ Atualizacoes
> #rdr on $ext_if proto tcp from any to $ext_ip port 15000 ->
> $dataserver_ip port 21
>
> #RDR - VPN dataserver
> rdr on $ext_if proto tcp from any to $ext_ip port 1194 -> $dataserver_ip
>
> #RDR - ATA/Configuracao/Temporario
> rdr on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 5555 ->
> $ata_ip port 80
>
> ##################################################
>
>
> ############## FILTROS ###########################
> ##################################################
>
> #BLOQUEIA TRAFEGO EM TODAS INTERFACES
> block all
>
> #LIBERA LOOPBACK
> pass quick on lo0 all keep state
>
> #LIBERA SAIDA EM TODAS INTERFACES E MARCA ESTADO DE CONEXAO
> pass out all keep state
>
> #SERVICO - SSH - WAN/LAN
> pass in on $ext_if proto tcp from any to $ext_ip port $ssh_extport
> keep state queue out_ssh
> pass in on $int_if proto tcp from $int_net to $int_ip port
> $ssh_intport keep state
>
> #SERVICO - NTOP - LAN/WAN(IP PRIVADO)
> pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ext_ip port 3000
> keep state
> pass in on $int_if proto tcp from $int_net to $int_ip port 3000 keep state
>
> # pass incoming ports for ftp-proxy
> pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
> pass in on $int_if inet proto tcp from any to any user proxy keep state
>
> #SERVICO - OpenVPN - WAN -> dataserver
> pass in on $ext_if proto tcp from any to $dataserver_ip port 1194 keep state
>
> #LIBERA TUDO p/ REDE VOIP
> pass in on $voip_if from $voip_net to any keep state queue out_voip
> pass in on $ext_if proto tcp from 200.xxx.xxx.213 to $ata_ip port 80 keep
> state
>
> #LIBERA TUDO p/ DIRETOR
> pass in on $int_if from 10.xxx.xxx.99 to any keep state
>
> #LIBERA VONO p/ REDE INTERNA
> pass in on $int_if from $int_net to 201.xxx.xxx.5 keep state queue out_voip
>
> #LIBERA RSYNC p/ Servidor de dados
> pass in on $int_if proto {tcp,udp} from $dataserver_ip to any port 873
> keep state
>
> #LIBERA ICMP p/ REDE INTERNA
> pass in on $int_if proto icmp from $int_net to any keep state
>
> #LIBERA FTP p/ REDE INTERNA
> pass in on $int_if proto tcp from $int_net to 127.0.0.1 port 8021 keep state
> pass in on $int_if proto tcp from $int_net to any port 21 keep state
> pass in on $ext_if proto tcp from any to any port ftp-data user proxy keep
> state
>
> #LIBERA SISTEMAS p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port {778,
> 779, 4606, 3007, 8017} keep state
> pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
>
> #LIBERA CAT p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port 5017 keep state
>
> #LIBERA NTP p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port {123,
> 563} keep state
>
> #LIBERA DNS p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port 53 keep state
>
> #LIBERA EMAIL p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port 25 keep
> state queue out_email
> pass in on $int_if proto {tcp,udp} from $int_net to any port 110 keep state
>
> #LIBERA MSN p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port 1863 keep state
>
> #LIBERA HTTP p/ REDE INTERNA
> pass in on $int_if proto {tcp,udp} from $int_net to any port {80,443} keep
> state
>
> #LIBERA RECEITANET p/ REDE INTERNA
> pass in on $int_if proto tcp from $int_net to any port 3456 keep state
>
> #LIBERA CONECTIVIDADE SOCIAL p/ REDE INTERNA
> pass in on $int_if proto tcp from $int_net to any port 2631 keep state
>
> #LIBERA IP Sistema do diretor
> pass in on $int_if from $int_net to 201.xxx.xxx.26 keep state
>
> #BLOQUEIA IPS PRIVADOS NA INTERFACE EXTERNA
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
>
> Qualquer ajuda será bem-vinda.
> Obrigado.
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
