jqueiroz
Cyber Highlander
Registrado
104K Mensagens
5.7K Curtidas
-[azarD =-]Estou tendo problemas em configurar o FreeBSD para os serviços de trf shapper e redirect e squid transp e ...
Olá companheiro,
Acho que pouca gente aqui vai entender FreeBSD suficiente para resolver o seu problema, mas nada impede a gente de tentar, né?
Vc está com três problemas, o primeiro é o NAT, o segundo o traffic shaper, e o terceiro o proxy transparente.
Se entendi bem, vc já dominou o NAT e o proxy. Mas não consegui ver, em sua configuração, onde é que vc configura --- ou tentou configurar --- o shaper. Isso faz parte do seu Kernel?
No Linux, existe um pacote chamado iproute2 que entre outras coisas inclui um shaper (tc). Não seria o caso de usá-lo?
"chmod 777 nunca ajudou ninguém" (c) 2002-2021 JQueiroz/FGdH
Conheça o
Blog do Zekke
-= Bio]+[aza...
Membro Senior
Registrado
311 Mensagens
0 Curtidas
opa acabei de resolver 2 dos 3 problemas
o NATD belesma :twisted:
o REdirect ta massa :twisted: co
o PROXY NAO tranp nao :evil: acho que sao as config squid
o shaper nao vai nem a pau :evil: :evil:
e ele faz parte do KERNEL e do IPFW parace muito simples de configurar masi esta dando uma dor de cabeça
AM2 64 2600@2808 | CPNS9700nt | Asus CrossHAIR | 2GB KVR @702 | Seagate 250Gb.320Gb | 2 xFx GF7900Gs SLi | Audigy2 Zs 7.1 | WinXP 64 | CaseATEN Mod |
Dual PII Xeon 400 | Intel MarlinSpike MS440GX | 768 Mb ECCREG | AHC-29160 | 32GB+73Gb 10K SCSI | FreeBSD 7 ZFS | IBM PCServ320 |
jqueiroz
Cyber Highlander
Registrado
104K Mensagens
5.7K Curtidas
Se entendi direito, a linha
#/sbin/ipfw add skipto 700 tcp from any to any 80,443
seria para capturar o tráfego http/https e jogar para o squid, certo?
Porque está comentada???
Outra coisa: qual é a interface externa, a 10.0.1.2 ou a 192.168.33.2?
"chmod 777 nunca ajudou ninguém" (c) 2002-2021 JQueiroz/FGdH
Conheça o
Blog do Zekke
jqueiroz
Cyber Highlander
Registrado
104K Mensagens
5.7K Curtidas
estou olhando em http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html e achei o seguinte trecho:
Find the following directives, uncomment them, and change them to the appropriate values:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
"chmod 777 nunca ajudou ninguém" (c) 2002-2021 JQueiroz/FGdH
Conheça o
Blog do Zekke
-= Bio]+[aza...
Membro Senior
Registrado
311 Mensagens
0 Curtidas
hierarchy_stoplist cgi-bin ?
forwarded_for on
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
mime_table /home/squid/etc/mime.conf
maximum_object_size_in_memory 8 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
icp_port 3130
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_single_host off
cache_dir diskd /home/squid/cache 400 16 256 Q1=64 Q2=72
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
# proibido Pornografia
#acl blporn url_regex "/var/cache/squid/etc/filter/porn.block.txt"
#acl noporn url_regex "/var/cache/squid/etc/filter/porn.unblock.txt"
#http_access deny blporn
#http_access allow noporn
# proibido Palavras de baixo-Calao
#acl badlang url_regex "/var/cache/squid/etc/filter/badlang.block.txt"
#acl nobadla url_regex "/var/cache/squid/etc/filter/badlang.unblock.txt"
#http_access deny badlang
#http_access allow nobadla
# proibido Entretedimento
#acl enterta url_regex "/var/cache/squid/etc/filter/entertain.block.txt"
#acl noenter url_regex "/var/cache/squid/etc/filter/entertain.unblock.txt"
#http_access deny enterta
#http_access allow noenter
# proibido games
#acl games url_regex "/var/cache/squid/etc/filter/games.block.txt"
#acl nogam url_regex "/var/cache/squid/etc/filter/games.unblock.txt"
#http_access deny games
#http_access allow nogam
# proibido mp3
#acl mp3 url_regex "/var/cache/squid/etc/filter/mp3.block.txt"
#http_access deny mp3
# proibido pirate
#acl pirate url_regex "/var/cache/squid/etc/filter/pirate.block.txt"
#acl nopira url_regex "/var/cache/squid/etc/filter/pirate.unblock.txt"
#http_access deny pirate
#http_access allow nopira
# acl local-intranet dstdomain www.biohazard.eti.br
# acl local-external dstdomain external.foo.net
# always_direct deny local-external
# always_direct allow local-intranet
# never_direct allow all
acl bionet src 10.0.1.0/255.255.255.0
acl snmpManager src 10.0.1.0/255.255.255.0
acl publicCommunity snmp_community publica
http_access allow bionet
http_access deny all
snmp_access allow snmpManager
snmp_access allow publicCommunity bionet
# deny people outside of the local network to ALL data, even public
snmp_access deny all
icp_access allow all
acl localclients src 10.0.1.0/24
miss_access allow localclients
miss_access deny !localclients
proxy_auth_realm proxy-caching
cache_mgr bio@biohazard.dns2go.com
ident_lookup_access deny all
cache_effective_user daemon
cache_effective_group daemon
digest_generation on
digest_bits_per_entry 5
digest_rebuild_period 1 hour
digest_rewrite_period 1 hour
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10
ie_refresh on
coisinha bem basica[/quote]
AM2 64 2600@2808 | CPNS9700nt | Asus CrossHAIR | 2GB KVR @702 | Seagate 250Gb.320Gb | 2 xFx GF7900Gs SLi | Audigy2 Zs 7.1 | WinXP 64 | CaseATEN Mod |
Dual PII Xeon 400 | Intel MarlinSpike MS440GX | 768 Mb ECCREG | AHC-29160 | 32GB+73Gb 10K SCSI | FreeBSD 7 ZFS | IBM PCServ320 |
-= Bio]+[aza...
Membro Senior
Registrado
311 Mensagens
0 Curtidas
Buenas
Mais uma vitória solitária hehehe
acabei de descobrir como que se configura o DUMMYNET ( Traffic Shapper )
- /sbin/ipfw pipe 10 config mask src-ip
10.0.1.2 bw 100000Kbit/s queue 12MBytes
/sbin/ipfw pipe 20 config mask dst-ip 10.0.1.2 bw 100000Kbit/s queue 12MBytes
/sbin/ipfw add pipe 10 all from 10.0.1.0/24 to any out via xl0
/sbin/ipfw add pipe 20 all from any to 10.0.1.0/24 in via xl0
/sbin/ipfw pipe 30 config mask src-ip 0x000000ff bw 256Kbit/s queue 8KBytes
/sbin/ipfw pipe 40 config mask dst-ip 0x000000ff bw 128Kbit/s queue 8KBytes
/sbin/ipfw add pipe 30 all from 10.0.1.0/24 to any out via xl0
/sbin/ipfw add pipe 40 all from any to 10.0.1.0/24 in via xl0
o detalhe era as placas de rede que eu colocava as EXTERNAS e tinha que ser as INTERNAS
=o) ja resolvido e eu estou contente hehehe
agora so' falta o Squid Transparente
quem quiser o script completo pode pegar em
http://www.biohazard.dns2go.com/lixo/ipfw
http://www.biohazard.dns2go.com/lixo/rc.local
AM2 64 2600@2808 | CPNS9700nt | Asus CrossHAIR | 2GB KVR @702 | Seagate 250Gb.320Gb | 2 xFx GF7900Gs SLi | Audigy2 Zs 7.1 | WinXP 64 | CaseATEN Mod |
Dual PII Xeon 400 | Intel MarlinSpike MS440GX | 768 Mb ECCREG | AHC-29160 | 32GB+73Gb 10K SCSI | FreeBSD 7 ZFS | IBM PCServ320 |
jqueiroz
Cyber Highlander
Registrado
104K Mensagens
5.7K Curtidas
-[azarD =-]Buenas
Mais uma vitória solitária hehehe
acabei de descobrir como que se configura o DU...
Tinhoso, o rapaz, hein? :twisted: :twisted: :twisted:
"chmod 777 nunca ajudou ninguém" (c) 2002-2021 JQueiroz/FGdH
Conheça o
Blog do Zekke
-= Bio]+[aza...
Membro Senior
Registrado
311 Mensagens
0 Curtidas
AM2 64 2600@2808 | CPNS9700nt | Asus CrossHAIR | 2GB KVR @702 | Seagate 250Gb.320Gb | 2 xFx GF7900Gs SLi | Audigy2 Zs 7.1 | WinXP 64 | CaseATEN Mod |
Dual PII Xeon 400 | Intel MarlinSpike MS440GX | 768 Mb ECCREG | AHC-29160 | 32GB+73Gb 10K SCSI | FreeBSD 7 ZFS | IBM PCServ320 |
-= Bio]+[aza...
Membro Senior
Registrado
311 Mensagens
0 Curtidas
isso é pra quem gosta de desafios mesmo.
#ipfw -l
#ipfw: illegal option -- l
#usage: ipfw [options]
# [pipe] flush
# add [number] rule
# [pipe] delete number ...
# [pipe] list [number ...]
# [pipe] show [number ...]
# zero [number ...]
# resetlog [number ...]
# pipe number config [pipeconfig]
# rule: [prob ] action proto src dst extras...
# action:
# {allow|permit|accept|pass|deny|drop|reject|unreach code|
# reset|count|skipto num|divert port|tee port|fwd ip|
# pipe num} [log [logamount count]]
# proto: {ip|tcp|udp|icmp|}
# src: from [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
# dst: to [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
# extras:
# uid {user id}
# gid {group id}
# fragment (may not be used with ports or tcpflags)
# in
# out
# {xmit|recv|via} {iface|ip|any}
# {established|setup}
# tcpflags [!]{syn|fin|rst|ack|psh|urg}, ...
# ipoptions [!]{ssrr|lsrr|rr|ts}, ...
# tcpoptions [!]{mss|window|sack|ts|cc}, ...
# icmptypes {type[, type]}...
# keep-state [method]
# pipeconfig:
# {bw|bandwidth} {bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}
# {bw|bandwidth} interface_name
# delay
# queue {packets|Bytes|KBytes}
# plr
# mask {all| [dst-ip|src-ip|dst-port|src-port|proto] }
# buckets }
# {red|gred} ///
# droptail
/sbin/ipfw -f flush
TRAFFIC SHAPER FUNIONANDO BELEZINHA QUEM QUISER COPIAR E USAR TA AQUI
# Libera micro Full-Duplex
/sbin/ipfw pipe 10 config mask src-ip 0x000000ff bw 100Mbit/s
/sbin/ipfw pipe 20 config mask dst-ip 0x000000ff bw 100Mbit/s
/sbin/ipfw add pipe 10 all from 10.0.1.2/32 to any out via xl0
/sbin/ipfw add pipe 20 all from 10.0.1.2/32 to any in via xl0
# Traffic Shaper Rede 10.0.1.0/24
/sbin/ipfw pipe 30 config mask src-ip 0x000000ff bw 128Kbit/s queue 8KBytes
/sbin/ipfw pipe 40 config mask dst-ip 0x000000ff bw 256Kbit/s queue 8KBytes
/sbin/ipfw add pipe 30 all from 10.0.1.0/24 to not 10.0.1.0/24 out via xl0
/sbin/ipfw add pipe 40 all from 10.0.1.0/24 to any in via xl0
# Traffic Shapper porta 80 rede 192.168.33.0/28
/sbin/ipfw pipe 70 config mask src-ip 0x000000ff bw 8KBytes/s
/sbin/ipfw pipe 80 config mask dst-ip 0x000000ff bw 30KBytes/s
/sbin/ipfw add pipe 70 tcp from 192.168.33.2/32 80 to not 192.168.33.0/28 out via ep0
/sbin/ipfw add pipe 80 tcp from 192.168.33.2/32 80 to any in via ep0
# libera e protege trafego na lo0
/sbin/ipfw add allow all from any to any via lo0
/sbin/ipfw add deny log all from any to 127.0.0.0/8
/sbin/ipfw add deny log all from 127.0.0.0/8 to any
/sbin/ipfw add deny log all from 255.255.255.255/32 to any
/sbin/ipfw add deny log all from 0.0.0.0/32 to any
/sbin/ipfw add deny log all from 172.16.0.0/12 to any
/sbin/ipfw add deny log all from any to 255.255.255.255/32
/sbin/ipfw add deny log all from any to 0.0.0.0/32
/sbin/ipfw add deny log all from any to 172.16.0.0/12
# nao aceita fragmentados
/sbin/ipfw add deny log all from any to any in frag
# nao aceita ssrr + lsrr
/sbin/ipfw add deny log all from any to any in ipoptions ssrr,lsrr
# nega acessos da rede interna via ep0
/sbin/ipfw add deny log all from 10.0.1.0/24 to any in via ep0
# NAT
/sbin/ipfw add divert natd all from any to any via ep0
#/sbin/ipfw add allow icmp from any to any
/sbin/ipfw add allow icmp from any to any icmptypes 3,4,11,12
# aceita conexoes pre estabelecidas
/sbin/ipfw add allow tcp from any to any established
# NTP
/sbin/ipfw add allow udp from 200.137.65.132 123 to 192.168.33.2/32 123 keep-state
# DNS
/sbin/ipfw add allow udp from 200.203.191.8 53 to any keep-state
# DNS2go
/sbin/ipfw add allow tcp from any to 63.64.164.93 1227 keep-state
#proteçoes rede 192.168.33.0/28
/sbin/ipfw add check-state
/sbin/ipfw add allow tcp from any to 192.168.33.2/32 21,22,25,80,109,110,143,443 in via ep0 setup keep-state
/sbin/ipfw add deny log tcp from any to 192.168.33.2/32 0-1024 in via ep0
/sbin/ipfw add allow udp from any to 192.168.33.2/32 25,53,109,110,123 in via ep0
/sbin/ipfw add deny log udp from any to 192.168.33.2/32 0-1024 in via ep0
#libera Diablo2
/sbin/ipfw add allow tcp from any to any 4000-7000
/sbin/ipfw add allow udp from any to any 4000-7000
#kali
#/sbin/ipfw add 2101 allow UDP from 64.55.196.2 6666 to any 2213 keep-state
#/sbin/ipfw add 2102 allow UDP from 200.207.49.36 2213 to any 2213 keep-state
#/sbin/ipfw add 2103 allow UDP from 200.155.34.41 2213 to any 2213 keep-state
#/sbin/ipfw add 2104 allow UDP from 200.203.127.56 2213 to any 2213 keep-state
#/sbin/ipfw add 2105 allow UDP from 200.151.156.122 2213 to any 2213 keep-state
#/sbin/ipfw add 2106 allow UDP from 200.207.49.36 2213 to any 2213 keep-state
/sbin/ipfw add allow ip from 192.168.33.2/32 to any keep-state out via ep0
# rede DMZ
/sbin/ipfw add allow tcp from any to any 21,22,25,80,109,110,143,443 in via ed0 setup keep-state
/sbin/ipfw add deny log tcp from any to any 0-1024 in via ed0
/sbin/ipfw add allow udp from any to any 25,53,109,110,123 in via ed0
/sbin/ipfw add deny log udp from any to any 0-1024 in via ed0
/sbin/ipfw add allow ip from any to any keep-state out via ed0
# rede interna
/sbin/ipfw add allow ip from 10.0.1.0/24 to any keep-state via xl0
# nega acesso da rede externa direto a rede interna
/sbin/ipfw add deny log ip from not 10.0.1.0/24 to any in via xl0
# nega tudo
/sbin/ipfw add 65435 deny log ip from any to any
/sbin/ipfw zero 65535
outra coisa eu tive um erro com minha placa de rede 3Com ela furava o limite da memoria dai coloquei isso no kernel e funfou
options NSFBUFS=1024
options NBUF=512
options NMBCLUSTERS=16384
AM2 64 2600@2808 | CPNS9700nt | Asus CrossHAIR | 2GB KVR @702 | Seagate 250Gb.320Gb | 2 xFx GF7900Gs SLi | Audigy2 Zs 7.1 | WinXP 64 | CaseATEN Mod |
Dual PII Xeon 400 | Intel MarlinSpike MS440GX | 768 Mb ECCREG | AHC-29160 | 32GB+73Gb 10K SCSI | FreeBSD 7 ZFS | IBM PCServ320 |