Kemaren iseng-isengan maen-maen ama OpenBSD dan coba-coba mau bikin router pake distribusi unix yang satu ini…
Berikut ini cuman sekedar contoh konfigurasi pf.conf :
### options –> normalization –> queueing –> translation –> filtering
### Macros ###
ext_if=”sk0″ # Menuju ke TELKOM
int_if=”sk1″ # INTRANET### TABLES ###
table <unmulnet> { 10.10.1.0/24 }
table <wifi_dl> { 10.10.1.213 }
table <staff> { 10.10.1.79,10.10.1.80,10.10.1.81,10.10.1.82,10.10.1.83,10.10.1.84,10.10.1.85 }### GLOBAL OPTIONS ###
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”### TRAFFIC NORMALIZATION ###
#
scrub in all# Port Yang Boleh Diakses dari Luar Box
ssh_ports = “{ 22 }”
im_ports = “{ 5050 5222 6667 }”
tcp_services = “{ 21 25 53 80 113 110 143 443 2082 5050 5222 6667 }”
udp_services = “{ 53 1194 }”# Ping Requests
icmp_types = “echoreq”### QUEUES – ALTQ rules ###
altq on $ext_if priq bandwidth 1024Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out }queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6altq on $int_if cbq bandwidth 1280Kb queue { std_in, ssh_im_in, dns_in, staff_in, wfidl_in }
queue std_in bandwidth 1024Kb cbq(default)
queue ssh_im_in bandwidth 32Kb priority 4
queue dns_in bandwidth 32Kb priority 5
queue staff_in bandwidth 128Kb cbq(borrow)
queue wfidl_in bandwidth 64Kb cbq(borrow)### TRANSLATION ###
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat-anchor “ftp-proxy/*”#================#
## Redirections ##
#================#
rdr on $int_if proto tcp from <unmulnet> to !<unmulnet> port 80 -> 127.0.0.1 port 3128
rdr-anchor “ftp-proxy/*”
#rdr on $int_if proto tcp from <unmulnet> to !<unmulnet> port 21 -> 127.0.0.1 port 8021#==================#
# Anchor Blockit #
#==================#
anchor blockit#==================#
# Anchor FTP #
#==================#
anchor “ftp-proxy/*”### PACKET FILTERING ###
set skip on lo0# filter rules for $ext_if inbound #
# ============================= #
block in on $ext_if all# filter rules for $ext_if outbound #
# ============================= #
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto icmp from ($ext_if) icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports flags S/SA keep state queue(ssh_im_out, tcp_ack_out)# filter rules for $int_if inbound #
# ============================ #
block in on $int_if all
pass in on $int_if from <unmulnet># filter rules for $int_if outbound #
# ============================ #
block out on $int_if all
pass out on $int_if from any to <unmulnet>
pass out on $int_if proto { tcp udp } from any port domain to <unmulnet> queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to <unmulnet> queue (std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to <unmulnet> queue ssh_im_in
pass out on $int_if from any to <staff> queue staff_in
pass out on $int_if from any to <wifi_dl> queue wfidl_in## Deny spoofing
antispoof for $ext_if
antispoof for $int_if# Localhost
pass quick on lo0 all
Gak lupa juga edit file /etc/sysctl.conf untuk mengktifkan ip fordwarding-nya, edit filenya dan un-commend pada baris ini :
net.inet.ip.forwarding=1
Untuk mengaktifkan PF-nya setiap kali boot coba buat file rc.conf.local di dalam directory /etc yang isiny, sebagai contoh :
named_flags=””
ntpd=NO
ftpproxy_flags=””
sendmail_flags=NO
pf=YES
inetd=NO
check_quotas=NO
mysql=YESS
snort=YES
Yach cuman sekedar share aza seh sekalian bikin log supaya gak lupa satu saat nanti klo penyakit iseng-nya kumat lagi !!! :)) sekali lagi ini hanya sekedar contoh saja jangan pelg-pleg kan dicoba di komputer kamu… banyak baca dulu sebelum melakukan sesuatu… sebagai catatan sebelumnya dalam box openBSD gue sudah terinstall MySQL, SQUID dan SNORT :p
saya newbee, baru kemarin install freebsd7. saya coba config diatas dengan menyesuaikan variabel tentunya,
kok gak jalan ya limiter dowloadnya utk client nya, namun kalau diganti
pass out on $int_if
menjadi
pass in on $int_if,
bisa jalan, kenapa ya limiternya ??
coba deh pake pftop -v queue trus donload film,
nanti keliatan total benwit yang di pake, kalau sendirian dia bisa minjem benwith root nya ,
mas minta ijin dokumentasi di blog saya boleh kan ?
Gan bisa lebih jelas gimana config NAT nya ?