-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Senhores, após configurar o pfsense para fazer NAT (apenas outbound)
este , o NAT, funciona. Porém somente em alguns sites.
As regras em anexo.
Entretanto, não acesso o site dos clientes, tão pouco a partir do
próprio servidor.
Alguns exemplos não acessados:
www.uol.com.br
www.yahoo.com.br
gdk.thegamecreators.com
Entre outros.
Alguma luz?
Obrigado
P.S.: Tentando essas regras, o problema persiste.
nat on re0 from any to any -> (re0)
pass quick on re0 all keep state
pass quick on xl0 all keep state
falow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoS95gACgkQ35zeJy7JhCgr7wCeLWyX0/qlZAqSL1ddo+D9Xd2v
OtEAn2xG4C4qPXCL36vaf1BLz7Vlsudy
=y043
-----END PGP SIGNATURE-----
1.
# pfctl -sa
2.
TRANSLATION RULES:
3.
nat-anchor "pftpx/*" all
4.
nat-anchor "natearly/*" all
5.
nat-anchor "natrules/*" all
6.
nat on re0 inet from 192.168.0.0/26 port = isakmp to any port = isakmp ->
(re0) port 500 round-robin
7.
nat on re0 inet from 192.168.0.0/26 port = 5060 to any port = 5060 ->
(re0) port 5060 round-robin
8.
nat on re0 inet from 192.168.0.0/26 to any -> (re0) port 1024:65535
round-robin
9.
nat on re0 inet from 10.0.0.0/24 port = isakmp to any port = isakmp ->
(re0) port 500 round-robin
10.
nat on re0 inet from 10.0.0.0/24 port = 5060 to any port = 5060 -> (re0)
port 5060 round-robin
11.
nat on re0 inet from 10.0.0.0/24 to any -> (re0) port 1024:65535
round-robin
12.
rdr-anchor "pftpx/*" all
13.
rdr-anchor "slb" all
14.
rdr-anchor "imspector" all
15.
rdr-anchor "miniupnpd" all
16.
17.
FILTER RULES:
18.
scrub all random-id fragment reassemble
19.
anchor "ftpsesame/*" all
20.
anchor "firewallrules" all
21.
block drop quick proto tcp from any port = 0 to any
22.
block drop quick proto tcp from any to any port = 0
23.
block drop quick proto udp from any port = 0 to any
24.
block drop quick proto udp from any to any port = 0
25.
block drop quick from <snort2c> to any label "Block snort2c hosts"
26.
block drop quick from any to <snort2c> label "Block snort2c hosts"
27.
block drop in quick inet6 all
28.
block drop out quick inet6 all
29.
anchor "loopback" all
30.
pass in quick on lo0 all flags S/SA keep state label "pass loopback"
31.
pass out quick on lo0 all flags S/SA keep state label "pass loopback"
32.
anchor "packageearly" all
33.
anchor "carp" all
34.
pass quick inet proto icmp from 200.XXX.XXX.XXX to any keep state
35.
anchor "dhcpserverlan" all
36.
pass in quick on rl0 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state label "allow access to DHCP server on
LAN"
37.
pass in quick on rl0 inet proto udp from any port = bootpc to 192.168.0.1
port = bootps keep state label "allow access to DHCP server on LAN"
38.
pass out quick on rl0 inet proto udp from 192.168.0.1 port = bootps to
any port = bootpc keep state label "allow access to DHCP server on LAN"
39.
anchor "dhcpserverWIFI" all
40.
pass in quick on xl0 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state label "allow access to DHCP server"
41.
pass in quick on xl0 inet proto udp from any port = bootpc to 10.0.0.1
port = bootps keep state label "allow access to DHCP server"
42.
pass out quick on xl0 inet proto udp from 10.0.0.1 port = bootps to any
port = bootpc keep state label "allow access to DHCP server"
43.
block drop in log quick on re0 inet proto udp from any port = bootps to
192.168.0.0/26 port = bootpc label "block dhcp client out wan"
44.
block drop in on ! rl0 inet from 192.168.0.0/26 to any
45.
block drop in inet from 192.168.0.1 to any
46.
block drop in on ! xl0 inet from 10.0.0.0/24 to any
47.
block drop in inet from 10.0.0.1 to any
48.
block drop in on rl0 inet6 from fe80::2e0:7dff:fe90:b96f to any
49.
block drop in on xl0 inet6 from fe80::210:4bff:fe09:ff78 to any
50.
anchor "spoofing" all
51.
anchor "spoofing" all
52.
block drop in on ! re0 inet from 128.0.0.0/1 to any
53.
block drop in inet from 200.XXX.XXX.XXX to any
54.
block drop in on re0 inet6 from fe80::208:54ff:fe2d:28e to any
55.
block drop in log quick on re0 inet from 10.0.0.0/8 to any label "block
private networks from wan block 10/8"
56.
block drop in log quick on re0 inet from 127.0.0.0/8 to any label "block
private networks from wan block 127/8"
57.
block drop in log quick on re0 inet from 172.16.0.0/12 to any label
"block private networks from wan block 172.16/12"
58.
block drop in log quick on re0 inet from 192.168.0.0/16 to any label
"block private networks from wan block 192.168/16"
59.
anchor "limitingesr" all
60.
block drop in quick from <virusprot> to any label "virusprot overload
table"
61.
anchor "wanbogons" all
62.
block drop in log quick on re0 from <bogons> to any label "block bogon
networks from wan"
63.
pass out quick on rl0 proto icmp all keep state label "let out anything
from firewall host itself"
64.
pass out quick on re0 proto icmp all keep state label "let out anything
from firewall host itself"
65.
pass out quick on re0 all flags S/SA keep state (tcp.closed 5) label "let
out anything from firewall host itself"
66.
anchor "firewallout" all
67.
pass out quick on re0 all flags S/SA keep state label "let out anything
from firewall host itself"
68.
pass out quick on rl0 all flags S/SA keep state label "let out anything
from firewall host itself"
69.
pass out quick on xl0 all flags S/SA keep state label "let out anything
from firewall host itself"
70.
pass out quick on enc0 all flags S/SA keep state label "IPSEC internal
host to host"
71.
pass out quick on xl0 proto icmp all keep state (tcp.closed 5) label "let
out anything from firewall host itself"
72.
pass out quick on xl0 all flags S/SA keep state (tcp.closed 5) label "let
out anything from firewall host itself"
73.
anchor "anti-lockout" all
74.
pass in quick on rl0 inet from any to 192.168.0.1 flags S/SA keep state
label "anti-lockout web rule"
75.
block drop in log quick proto tcp from <sshlockout> to any port = ssh
label "sshlockout"
76.
anchor "ftpproxy" all
77.
anchor "pftpx/*" all
78.
pass in quick on re0 reply-to (re0 200.XXX.XXX.XXX) inet proto tcp from
200.XXX.XXX.XXX to 200.XXX.XXX.XXX port = 8181 flags S/SA keep state label
"USER_RULE: webgui from sakurazuka"
79.
pass in quick on re0 reply-to (re0 200.XXX.XXX.XXX) inet proto udp from
200.XXX.XXX.XXX to 200.XXX.XXX.XXX port = 8181 keep state label "USER_RULE:
webgui from sakurazuka"
80.
pass in log quick on re0 reply-to (re0 200.XXX.XXX.XXX) inet proto tcp
from 200.XXX.XXX.XXX to 200.XXX.XXX.XXX port = ssh flags S/SA keep state
label "USER_RULE: ssh from sakurazuka"
81.
pass in log quick on re0 reply-to (re0 200.XXX.XXX.XXX) inet proto udp
from 200.XXX.XXX.XXX to 200.XXX.XXX.XXX port = ssh keep state label
"USER_RULE: ssh from sakurazuka"
82.
pass in log quick on xl0 inet from 10.0.0.0/24 to any flags S/SA keep
state label "USER_RULE"
83.
pass in quick on rl0 inet from 192.168.0.0/26 to any flags S/SA keep
state label "USER_RULE: Default LAN -> any"
84.
pass in quick on rl0 inet proto tcp from any to 127.0.0.1 port =
ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
85.
pass in quick on rl0 inet proto tcp from any to 127.0.0.1 port = ftp
flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
86.
pass in quick on re0 inet proto tcp from any port = ftp-data to (re0)
port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data
connection"
87.
pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = 8022
flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
88.
pass in quick on xl0 inet proto tcp from any to 127.0.0.1 port = ftp
flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
89.
anchor "imspector" all
90.
anchor "miniupnpd" all
91.
block drop in log quick all label "Default deny rule"
92.
block drop out log quick all label "Default deny rule"
93.
No queue in use
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
