+ Responder ao Tópico



  1. #1

    Padrão Posntando uma dica. VPN com ipfw

    Pessoal estou postando uma dica muito simples mais que fez eu perder umas 4 horas por causa de um VPN de um cliente meu...

    O cara nao tinha geito de fazer funcionar o VPN ai apos de bater muito achei a seguinte solução

    # ipfw -q add allow gre from any to any

    so nao funcionava por motivo do protocolo "gre" q nao tinha no meu firewall .......

    Tosco mais pode ajudar alguem...

  2. #2

    Padrão

    Se o firewall nao está como default to accept, realmente por padrao nao deveria funcionar pois muitas vpns usam o protocolo GRE para trafegar...

  3. #3

    Padrão porta...

    tb to com um cliente q nao consegue acessar a vpn, preciso liberar algumas portas...tentei com essa regra e foi em vao...como nao manjo muito de freebsd pois ja peguei ele rodando...alguem poderia me dar uma mao? segue o script do firewall

    #!/bin/sh
    fwcmd="/sbin/ipfw -q"
    #
    in_if="re0"
    out_if="re1"
    out_net="200.216.214.8/29"
    backbone="192.168.10.0/24{1-100}"
    out_ip="200.202.220.2"
    dns="192.168.10.1,200.222.0.34,200.222.0.35"
    denied_ip=10.0.0.0/8,172.16.0.0/12,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4
    p2p="1214,2323,3306,4242,4661-4672,5555,6257,6346,6667,6699,6881-6999,7778"
    netbios="135-139,445"
    open_ports="22,25,80,110,1723,2631,5190,7700" # SSH SMTP HTTP POP INSS MSN
    msn="443,1863-1869,7001"
    log="log logamount 0"
    openip=189.43.239.1,200.254.16.11,200.161.73.133,200.201.174.0/24,200.201.162.0/24,200.254.16.11,189.43.239.1 #
    voip=200.162.253.93
    willian=192.168.13.114
    #
    #
    #
    in_net13="192.168.13.0/24"
    bw_13_1="1-254"
    bw_13_2="190"
    bw_13_3="254"
    bw_13_4="254"
    bw_13_5="114"
    #
    in_net14="192.168.14.0/24"
    bw_14_1="1-254"
    bw_14_2="254"
    bw_14_3="254"
    bw_14_4="254"
    bw_14_5="130"
    #
    in_net="$in_net13,$in_net14"

    #
    $fwcmd -f flush
    $fwcmd -q pipe flush
    $fwcmd zero

    ######################
    #Flush out the list before we begin.
    #####################
    #
    #
    #
    $fwcmd pipe 1 config mask dst-ip 0xffffffff bw 200kbit/s #
    $fwcmd pipe 2 config mask dst-ip 0xffffffff bw 300kbit/s #
    $fwcmd pipe 3 config mask dst-ip 0xffffffff bw 400kbit/s #
    $fwcmd pipe 4 config mask dst-ip 0xffffffff bw 500kbit/s #
    $fwcmd pipe 5 config mask dst-ip 0xffffffff bw 999kbit/s #
    $fwcmd pipe 10 config mask dst-ip 0xffffffff bw 30kbit/s #


    # Rede de NAT
    $fwcmd add divert natd all from any to any via $out_if
    $fwcmd add skipto 50000 all from any to any via $out_if
    $fwcmd add allow all from any to any via lo0
    $fwcmd add allow all from any to 127.0.0.0/8
    $fwcmd add allow ip from 127.0.0.0/8 to any
    $fwcmd add deny all from any to $denied_ip via $out_if
    $fwcmd add deny ip from 192.168.10.0/24 to any via $out_if

    $fwcmd add allow ip from any to any src-ip $openip
    $fwcmd add allow ip from any to any dst-ip $openip
    $fwcmd add allow ip from any to any dst-ip $backbone
    $fwcmd add allow ip from any to any src-ip $backbone

    #DNS
    $fwcmd add allow ip from $in_net to any 53
    $fwcmd add allow ip from any 53 to $in_net

    $fwcmd add allow icmp from any to any
    $fwcmd add allow icmp from any to any

    #HTTPS
    $fwcmd add allow ip from any $msn to any
    $fwcmd add allow ip from any to any $msn

    $fwcmd add allow ip from $in_net to $voip
    $fwcmd add allow ip from $voip to $in_net

    $fwcmd add deny ip from any to any $netbios
    $fwcmd add allow ip from $in_net to $in_net
    $fwcmd add allow ip from $in_net to 192.168.10.50
    $fwcmd add allow ip from 192.168.10.50 to $in_net
    $fwcmd add allow ip from me to $in_net
    $fwcmd add allow ip from $in_net to me
    $fwcmd add allow ip from any to any src-ip $willian
    $fwcmd add allow ip from any to any dst-ip $willian
    #$fwcmd add fwd 127.0.0.1,3128 ip from any to any dst-port 80
    $fwcmd add allow ip from any to any src-ip 189.22.112.147
    $fwcmd add allow ip from any to any dst-ip 189.22.112.147


    $fwcmd add pipe 5 ip from any to any dst-ip $in_net13{$bw_13_5}
    $fwcmd add pipe 2 ip from any to any dst-ip $in_net13{$bw_13_2}
    $fwcmd add pipe 1 ip from any to any dst-ip $in_net13{$bw_13_1}
    $fwcmd add pipe 5 ip from any to any dst-ip $in_net14{$bw_14_5}
    $fwcmd add pipe 1 ip from any to any dst-ip $in_net14{$bw_14_1}
    $fwcmd add pipe 10 $log ip from any 1024-65535 to any 1024-65535 limit dst-addr 5

    #$fwcmd add allow ip from any to any
    $fwcmd add pipe 2 ip from any to any
    #
    #$fwcmd add check-state
    $fwcmd add 50000 // REGRAS EXTERNAS
    $fwcmd add allow ip from any to any src-ip 189.22.112.147
    $fwcmd add allow ip from any to any dst-ip 189.22.112.147

    $fwcmd add allow ip from $in_net to any 53
    $fwcmd add allow ip from any 53 to $in_net

    $fwcmd add allow ip from any $msn to any
    $fwcmd add allow ip from any to any $msn

    $fwcmd add allow ip from $in_net to $voip
    $fwcmd add allow ip from $voip to $in_net

    $fwcmd add allow ip from any to any src-ip $openip
    $fwcmd add allow ip from any to any dst-ip $openip

    $fwcmd add allow udp from any to any 53
    $fwcmd add allow udp from any 53 to any

    $fwcmd add allow $log ip from any to any established
    $fwcmd add allow $log tcp from any to any setup
    $fwcmd add deny $log ip from any to any

  4. #4

    Padrão portas...

    preciso liberar as portas udp de 4500 a 5500...

  5. #5

    Padrão

    Aff...... errei tenta o de baixo....
    Última edição por leonardosimas; 04-07-2008 às 19:50.

  6. #6

    Padrão Este assim.... funciona

    ops melhor fazer assim... antes estava errado nao tinha lido a pergunta....

    Código :
    #para Portas UDP de 4500 ate 5500
    $fwcmd -q add allow udp from any to any 4500-5500
    $fwcmd -q add allow udp from any 4500-5500  to any
     
    #Para portas TCP de 4500 ate 5500
    $fwcmd -q add allow tcp from any to any 4500-5500 to any 
    $fwcmd -q add allow tcp from any 4500-5500 to any
    Última edição por leonardosimas; 04-07-2008 às 16:58.

  7. #7

    Padrão

    Errado.

    $fwcmd add allow all from any to any 4500-5500
    $fwcmd add allow all from any 4500-5500 to any

    Feito.

    Citação Postado originalmente por leonardosimas Ver Post
    Tente ai ve se funciona!!!!

    falow


    $fwcmd add allow all from any to any 4500
    $fwcmd add allow all from any to any 5500

    $fwcmd add allow all from any 4500 to any
    $fwcmd add allow all from any 5500 to any