Re: [FUG-BR] pfsense load balance e algumas duvidas (apanhando do PF)
Ola pessoal ainda não consegui fazer o port forward funcionar Já tenho quase plena certeza de que é alguma regra do firewall que esta fazendo isso eu precisei trocar o IP da minha interface LAN do pfsense de 192.168.1.1 para 192.168.0.1 e acho que isso tem haver também com o bloqueio referido não consegui fazer acesso ao webconfigurator de fora nem acesso aos servers VNC e a maquina de vigilância resolvi postar as minhas regras de filtro para que os experts as analisem segue ; alguém pode me dar uma luz Obs. Existem mais regras para o servidor de câmera e outras de VNC mas eu as retirei somente nesta mensagem por serem repetitivas pfctl -sr --- scrub in on pppoe0 all fragment reassemble scrub in on rl0 all fragment reassemble scrub in on sis0 all fragment reassemble anchor "relayd/*" all block drop in log all label "Default deny rule" block drop out log all label "Default deny rule" block drop in quick inet6 all block drop out quick inet6 all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from to any label "Block snort2c hosts" block drop quick from any to label "Block snort2c hosts" block drop quick from to any label "Block pfSnortSamOut hosts" block drop quick from any to label "Block pfSnortSamIn hosts" block drop in log quick proto tcp from to any port = ssh label "sshlockout" block drop in log quick proto tcp from to any port = https label "webConfiguratorlockout" block drop in quick from to any label "virusprot overload table" block drop in log quick on pppoe0 from to any label "block bogon networks from WAN" block drop in on ! pppoe0 inet from 189.47.14.202 to any block drop in inet from 189.47.14.202 to any block drop in on pppoe0 inet6 from fe80::240:caff:fe99:90a5 to any block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" block drop in on ! rl0 inet from 192.168.0.0/24 to any block drop in inet from 192.168.0.1 to any block drop in on rl0 inet6 from fe80::2e0:7dff:fee3:5d90 to any block drop in log quick on sis0 from to any label "block bogon networks from OPT1" block drop in on sis0 inet6 from fe80::240:caff:fe99:90a5 to any block drop in log quick on sis0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block drop in log quick on sis0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block drop in log quick on sis0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block drop in log quick on sis0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" pass in on sis0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out OPT1" pass out on sis0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out OPT1" pass in on lo0 all flags S/SA keep state label "pass loopback" pass out on lo0 all flags S/SA keep state label "pass loopback" pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out route-to (pppoe0 200.100.11.76) inet from 189.47.14.202 to ! 189.47.14.202 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on rl0 proto tcp from any to (rl0) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on rl0 proto tcp from any to (rl0) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on rl0 proto tcp from any to (rl0) port = ssh flags S/SA keep state label "anti-lockout rule" pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto icmp all keep state label "USER_RULE" pass in quick on rl0 inet from 192.168.0.0/24 to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on rl0 route-to (pppoe0 200.100.11.76) inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on pppoe0 reply-to (pppoe0 200.100.11.76) inet proto tcp from any to 192.168.0.3 port = 5903 flags S/SA keep state label "US
Re: [FUG-BR] pfsense load balance e algumas duvidas (apanhando do PF)
Em 20 de abril de 2011 11:04, Manoel Alvares escreveu: > > Ola pessoal ainda não consegui fazer o port forward funcionar > Já tenho quase plena certeza de que é alguma regra do firewall > que esta fazendo isso eu precisei trocar o IP da minha interface LAN > do pfsense de 192.168.1.1 para 192.168.0.1 e acho que isso tem haver também > com o > bloqueio referido > não consegui fazer acesso ao webconfigurator de fora nem acesso aos servers > VNC e a maquina de vigilância > resolvi postar as minhas regras de filtro para que os experts as analisem > segue ; > alguém pode me dar uma luz > Obs. Existem mais regras para o servidor de câmera e outras de VNC mas eu > as retirei somente nesta mensagem por serem repetitivas > > pfctl -sr > > Olá Manoel Cara, você consegue sim fazer o Port Forward. Já tentou utilizar o NAT ao inves das regras de Firewall mesmo? O pfSense lhe dá essa opção de Port Forward na Opção Firewall >> NAT. Crie a regra de NAT, que automaticamente a regra de Firewall será criada. No caso do Acesso pela WAN, você terá que ir em Firewall >> Rules, e liberar a porta HTTP ou HTTPS. Acredito fortemente que você conseguirá. Abraços e Boa Sorte PS.: Retirei parte do email para não deixar o mesmo gigante. Boas praticas =) -- .:: Lucas Dias .:: Analista de Sistemas .:: Gerência de Redes - CETIS / GTIN / UNCISAL .:: OS3 Soluções em TI .:: (82) 3315-6779 / 8833-8811 / 8813-1494 / 8111-2288 .:: Antes de imprimir, veja se realmente é necessário - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
