Salve lista, transparent proxy nat dynamic rules proxy transparent nat regras dinamicas
Tenho um servidor freebsd 4.8 com squid, proxy transparent, nat e regras dinamicas. O kernel esta' compilado para ipfw2. Estou enfrentando os seguintes problemas: a) funcionamento esquisito: as vezes o servidor parece entrar em loop. Tenho observado nos logs que um determinado pacote e' permitido por uma regra, mas depois e' bloqueado pela mesma regra. b) problema com ftp: tenho um segundo servidor (192.168.1.2, dns + mail) com freebsd na mesma rede, faco ftp para qualquer lugar sem problemas, mas as estacoes win9x nao funcionam bem, abrem o site, informo a senha quando necessario ou anonymous, mas depois para ou lista somente os diretorios de primeiro nivel do site ftp, nao consegue listar um sub-diretorio. c) nos logs percebo muitos deny in interface_externa na porta 80, normalmente depois dos logs do divert outras duvidas: d)Tenho uma suspeita com o divert. Ele esta vindo antes do check-state. Entao, teoricamente nao esta sendo criada uma regra dinamica para a interface externa do servidor ao fazer o divert. Neste caso, o pacote de retorno seria negado pelas regras seguintes porque nao existe uma regra dinamica associada. e) divert criar uma regra dinamica automaticamente? Ou devo colocar a regra divert depois do check-state e usar algo como "divert natd all from any to any via fxp0 keep-state"? Nao encontrei literatura de como fazer este trio parada-dura especificamente, normalmente encontro NATD+transparent, mas nada que inclua regras dinamicas. f) como estou usando proxy transparent como faco para direcionar tambem, alem da porta, 80 as requisicoes para as portas 20,21,81,443, 1024-65535? Alguma ideia de onde estou errando? Qualquer dica e' sempre bem vinda. Grato a todos xmailx PS: O servidor de e-mail e dns esta rodando em outro servidor freebsd, 192.168.1.2 natd.conf: interface fxp0 dynamic yes same_ports yes use_sockets yes rc.conf: nfs_reserved_port_only="YES" sshd_enable="YES" firewall_enable="YES" firewall_quiet="NO" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" log_in_vain="YES" tcp_extesions="NO" tcp_drop_synfin="YES" icmp_drop_redirect="YES" icp_log_recirect="YES" portmap_enable="NO" gateway_enable="YES" inetd_enable="NO" natd_enable="YES" natd_interface="fxp0" natd_flags="-l -u -f /etc/natd.conf" syslogd_flags="-s -l /var/chroot/named/dev/log" syslogd_flags="" named_enable="YES" named_program="/usr/local/sbin/named" named_flags="-u bind -t /var/chroot/named -c /etc/namedb/named.conf" ifconfig_fxp0="inet 200.x1.y1.z1 netmask 255.255.255.248" ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0" defaultrouter="200.x1.y1.z1" hostname="myserver.mydomain.com.br" firewall_type="/etc/ipfw.rules" sysctl.conf net.link.ether.ipfw=1 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 ipfw.rules add 00200 allow all from any to any via lo0 add 000250 deny all from any to 127.0.0.0/8 add 000300 deny log all from 127.0.0.0/8 to any add 000700 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80 add 000702 allow tcp from 192.168.1.0/24 to any 80 in via fxp1 add 000703 allow tcp from any 80 to 192.168.1.0/24 out via fxp1 add 000750 divert natd all from any to any via fxp0 add 000900 check-state add 000950 allow layer2 not mac-type ip add 001050 deny log all from any to any frag in via fxp0 add 001150 deny log icmp from any to any icmptypes 5 in via fxp0 add 001200 deny log ip from me to me in via fxp0 add 001250 deny log tcp from any to any setup in via fxp0 add 001300 deny log tcp from any to any 137,138,139 in via fxp0 add 001301 deny log udp from any to any 137,138,139 in via fxp0 add 001302 deny tcp from any to any 137,138,139 in via fxp1 add 001303 deny udp from any to any 137,138,139 in via fxp1 add 001400 deny log udp from any to 255.255.255.255 in via fxp0 add 001450 deny log udp from 0.0.0.0 to any in via fxp0 add 001500 deny log all from 192.168.100.1 to 224.0.0.1 in via fxp0 add 001550 deny log all from 192.168.0.0/16 to any via fxp0 add 001600 deny log all from any to 192.168.0.0/16 via fxp0 add 001650 deny log all from 172.16.0.0/12 to any via fxp0 add 001700 deny log all from any to 172.16.0.0/12 via fxp0 add 001750 deny log all from 10.0.0.0/8 to any via fxp0 add 001800 deny log all from any to 10.0.0.0/8 via fxp0 add 001900 allow udp from any 68 to any 67 in via fxp1 add 001950 allow udp from me 67 to any 68 out via fxp1 add 002100 allow udp from me to 192.168.1.2 53 out via fxp1 keep-state add 002150 allow tcp from me to 192.168.1.2 53 out via fxp1 setup keep-state add 002151 allow udp from me to 200.215.1.35 53 out via fxp0 keep-state add 002152 allow tcp from me to 200.215.1.35 53 out via fxp0 setup keep-state add 002200 allow udp from me to 200.176.2.10 53 out via fxp0 keep-state add 002201 allow tcp from me to 200.176.2.10 53 out via fxp0 setup keep-state add 002250 allow udp from me to 200.176.2.12 53 out via fxp0 keep-state add 002251 allow tcp from me to 200.176.2.12 53 out via fxp0 setup keep-state add 002450 allow udp from 192.168.1.2 to 200.215.1.35 53 in via fxp1 keep-state add 002450 allow tcp from 192.168.1.2 to 200.215.1.35 53 in via fxp1 setup keep-state add 002500 allow udp from 192.168.1.2 to 200.176.2.10 53 in via fxp1 keep-state add 002501 allow tcp from 192.168.1.2 to 200.176.2.10 53 in via fxp1 setup keep-state add 002600 allow udp from 192.168.1.2 to 200.176.2.12 53 in via fxp1 keep-state add 002601 allow tcp from 192.168.1.2 to 200.176.2.12 53 in via fxp1 setup keep-state add 002900 allow tcp from me to any 80,81 out via fxp0 setup keep-state add 003050 allow tcp from me to any 443 out via fxp0 setup keep-state add 003051 allow tcp from 192.168.1.0/24 to any 443 in via fxp1 setup keep-state add 003052 allow tcp from 192.168.1.0/24 to any 8088 in via fxp1 setup keep-state add 003100 allow tcp from any to any 443 in via fxp1 setup keep-state add 003151 allow tcp from me to any 8088 out via fxp0 setup keep-state add 003152 allow tcp from 192.168.1.0/24 to any 8088 in via fxp1 setup keep-state add 003200 allow tcp from me to any 25 out via fxp0 setup keep-state add 003250 allow tcp from me to any 25 out via fxp1 setup keep-state add 003300 allow tcp from 192.168.1.2 to any 25 in via fxp1 setup keep-state add 003350 allow tcp from me to any 110 out via fxp0 setup keep-state add 003351 allow tcp from 192.168.1.2 to any 110 out via fxp0 setup keep-state add 003400 allow tcp from 192.168.1.2 to any 110 in via fxp1 setup keep-state add 003450 allow tcp from me to any 143 out via fxp0 setup keep-state add 003500 allow tcp from 192.168.1.2 to any 143 out via fxp0 setup keep-state add 003550 allow tcp from me to any 20-21 out via fxp0 setup keep-state add 003551 allow tcp from me to any 1000-65000 out via fxp0 setup keep-state add 003552 allow tcp from 192.168.1.2 to any 20-21 in via fxp1 setup keep-state add 003600 allow tcp from 192.168.1.2 to any 1000-65000 in via fxp1 setup keep-state add 003650 allow icmp from me to any icmptypes 3,8 out via fxp0 keep-state add 003700 allow icmp from me to any icmptypes 3,8 out via fxp1 keep-state add 003750 allow icmp from 192.168.1.0/24 to any icmptypes 3,8 out via fxp0 keep-state add 003800 allow icmp from 192.168.1.0/24 to any icmptypes 3,8 in via fxp1 keep-state add 003850 allow icmp from me to 192.168.1.0/24 icmptypes 0,3 out via fxp1 keep-state add 004100 allow udp from me to any 33435-33500 out via fxp0 keep-state add 004150 allow tcp from me to any 22 out via fxp0 setup keep-state add 004300 allow tcp from 192.168.1.2 to me 22 in via fxp1 setup keep-state add 004301 allow tcp from 192.168.1.90 to me 22 in via fxp1 setup keep-state add 004302 allow tcp from 192.168.1.92 to me 22 in via fxp1 setup keep-state add 004700 deny log icmp from any to any icmptypes 5 in via fxp0 add 004800 deny log icmp from any to me icmptypes 0,8 in via fxp0 add 004850 deny log tcp from any to any setup in via fxp0 add 004851 deny log tcp from any to any established in via fxp0 add 004900 deny log icmp from any to me icmptypes 0,8 in via fxp0 add 004950 deny log logamount 500 all from any to any xmailx _______________________________________________________________ Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
