Páginas

segunda-feira, 2 de maio de 2011

FreeBSD: Firewall Stateful

#!/bin/sh

###########################################################################
# Delete todas as regras do IPFW, zera toda tabela de regras.
###########################################################################
/sbin/ipfw -f flush


###########################################################################
# Carregar duas instâncias do NATD, uma para cada interface WAN.
###########################################################################
/sbin/natd -u -dynamic -interface re0 -p 8668
/sbin/natd -u -dynamic -interface re1 -p 8669



###########################################################################
# Regra number 0001: De acordo com o pacote que estiver passando no momento pelo
# gateway, o IPFW primeiramente checará a tabela de sessão(que é criada
# dinamicamente se você adicionar o parâmetro keep-state na regra que queira
# torna-la dinâmica, veremos abaixo) dessa forma ele verifica se já não existe uma
# regra dinâmica que se aplique ao pacote passante, ou seja, aqui estamos utlizando
# o firewall no modo stateful.
###########################################################################
ipfw add 0001 check-state



###########################################################################
# Regra number 2000 e 2050: Definem as rotas para as intâncias do NATD
# criadas acima. Ou seja, aqui setamos para que ocorra NAT nos pacotes
# que passarem tanto pela interface re0 quanto pela interface re1.
###########################################################################
ipfw add 2000 divert 8668 ip from any to any in via re0
ipfw add 2050 divert 8669 ip from any to any in via re1



###########################################################################
# Regra number 2100: A palavra-chave desta regra é o cara que tem maior
# responsabilidade sobre todo o balanceamento de tráfego, este cara é o parâmetro
# prob, o seu valor varia de 0 a 1 e diz qual a probabilidade de executar tal regra.
# No caso da regra number 2100, informamos que 50%(0.5) do tráfego utilizando
# qualquer protocolo que seja IP(ip) de origem(from) 192.168.33.0/24 com destino(to)
# a qualquer lugar saindo (out) por alguma interface do gateway será pulada (skipto)
# para ser executada a partir da regra number 2200 em diante e além disso
# colocaremos esta regra na tabela de sessão com o parametro keep-state. Resumindo,
# estaremos colocando 50% do tráfego para ser roteado pelo NAT na interface re0 que
# corresponde a instância de porta 8668.
############################################################################
ipfw add 2100 prob 0.5 skipto 2200 ip from 192.168.33.0/24 to any out keep-state



###########################################################################
# Regra number 2150: Como 50% do tráfego será jogado para o NAT da interface re0, os
# outros 50% do tráfego será ignorado pela regra prob, e adivinha aonde o tráfego
# ignorado irá parar? Ele será executado pela regra number 2150, que diz que:
# Qualquer protocolo que seja IP(ip) de origem(from) 192.168.33.0/24 com destino(to)
# a qualquer lugar saindo (out) por alguma interface do gateway será pulada (skipto)
# para ser executada a partir da regra number 2300 em diante e além disso
# colocaremos esta regra na tabela de sessão com o parametro keep-state. Resumindo,
# estaremos colocando esse tráfego que não foi executado pela regra prob será
# roteado pelo NAT na interface re1 que corresponde a instância de porta
# 8669.
###########################################################################
ipfw add 2150 skipto 2300 ip from 192.168.33.0/24 to any out keep-state



############################################################################
# Regras utilizadas pelos skipto acima.
############################################################################
ipfw add 2200 divert 8668 ip from 192.168.33.0/24 to any in
ipfw add 2250 divert 8668 ip from 192.168.33.0/24 to any out
ipfw add 2300 divert 8669 ip from 192.168.33.0/24 to any out
ipfw add 2350 divert 8669 ip from 192.168.33.0/24 to any in

############################################################################
# Aqui eu encaminho(fwd) o tráfego que o gateway estar fazendo(192.168.1.222 e
# 192.168.4.222) para os gateways de rede 192.168.1.1 e 192.168.4.1.
############################################################################
ipfw add 2400 fwd 192.168.1.1 ip from 192.168.1.222 to any
ipfw add 2500 fwd 192.168.4.1 ip from 192.168.4.222 to any



############################################################################
# Aqui defina as regras allow e deny de seu firewall. Como este firewall é de
# teste estou permitindo todo tráfego de qualquer canto para qualquer canto
############################################################################
ipfw add 65000 allow ip from any to any


FONTE: http://softwarelivre.org/projeto-software-livre-bahia/blog/leonardo-couto-conrado-ipfw-balanceamento-de-trafego-com-dois-links-wan-usando-o-ipfw-freebsd

Nenhum comentário:

Postar um comentário