[BSD] Jail - ftp - Ipnat

[pwmosquito]

Tedd az  "FTP nat - redirect" reszt az antispoof (ami valojaban 2db 
block filtering rule) ele es maris menni fog.
Valamint ha FBSD 7.X-et hasznalsz (amiben OBSD 4.1-es pf van), akkor nem 
kell a flags S/SA keep state resz, mivel az lett a default. (regebben 
nem volt default, szoval akkor ki kellett irni, ha akarta az ember)

Zsolt

Illó Gábor wrote:
> 2009/7/23 pwmosquito at szendezs.com <pwmosquito at szendezs.com>:
>   
>> Egyszerubb lenne ha bemasolnad a pf.conf-odat, de latatlanban is egyertelmu
>> a hiba: nem jo sorrendben vannak a dolgok.
>>
>> Balazs, kossz a roviditest.
>>
>> Zsolt
>>     
>
> Igaz, ime:
>
> int_if="em0"
> icmp_types = "echoreq"
> public_ip = "195.228.156.104"
>
> # Tell if we return or drop blocked packets in general
> set block-policy return
>
> # don't filter on the loopback interface
> set skip on lo0
>
> # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
> scrub in all
>
> # Set Antispoof rule
> antispoof for $int_if
>
> # Block all incoming traffic
> block in all
>
> # activate spoofing protection for all interfaces
> block in quick from urpf-failed
>
> # Allow all outgoing traffic
> pass out all keep state
>
> # Allow ping
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Allow incoming
> pass in proto tcp to $int_if port {21,25,80,443,1985}
>
> # FTP nat - redirect
> nat on $int_if from 127.1.0.1 to any -> $public_ip
> rdr pass on $int_if proto tcp from any to any port 21 -> 127.1.0.1 port 21
> rdr pass on $int_if proto tcp from any to any port 30000:31000 ->
> 127.1.0.1 port 30000:31000
> _______________________________________________
> BSD levlista
> BSD at hu.freebsd.org
> https://lists.hu.freebsd.org/mailman/listinfo/bsd
>