[BSD] ezjail

Illó Gábor stageline at gmail.com
2010. Jún. 4., P, 18:15:01 CEST 

Már megy, egy gyógy restart kellett a gépnek.

2010/6/4 Illó Gábor <stageline at gmail.com>

> Kiegészíteném a lentieket, hogy ezt sem hagytam ki:
>
> /etc/rc.conf
>
> gateway_enable="YES"
>
> /etc/sysctl.conf
>
> net.inet.ip.forwarding=1
> net.inet6.ip6.forwarding=1
> security.jail.allow_raw_sockets=1
>
>
> 2010/6/4 Illó Gábor <stageline at gmail.com>
>
> Sziasztok
>>
>> Van egy jail-em amely ezjail-el készült, ennek az ip címe 172.20.0.2
>>
>> A jaileket kiszolgáló rendszeren 1-től 5 ig lett beállítva alias a ifconfig
>> em0 alias 172.20.0.2 netmask 255.255.255.0 paranccsal.
>>
>> Jaileket futtató fő rendszer ifconfig kimenete:
>>
>> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>
>> options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
>>         ether 00:19:db:62:62:6a
>>         inet 195.228.156.104 netmask 0xffffff00 broadcast 195.228.156.255
>>         inet6 fe80::219:dbff:fe62:626a%em0 prefixlen 64 scopeid 0x1
>>         inet 172.20.0.1 netmask 0xffffff00 broadcast 172.20.0.255
>>         inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
>>         inet 172.20.0.3 netmask 0xffffff00 broadcast 172.20.0.255
>>         inet 172.20.0.4 netmask 0xffffff00 broadcast 172.20.0.255
>>         inet 172.20.0.5 netmask 0xffffff00 broadcast 172.20.0.255
>>         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
>>         media: Ethernet autoselect (100baseTX <full-duplex>)
>>         status: active
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>         options=3<RXCSUM,TXCSUM>
>>         inet 127.0.0.1 netmask 0xff000000
>>         inet6 ::1 prefixlen 128
>>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
>>         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
>>
>> A 172.20.0.2 ip című jail ifconfig kimenete:
>>
>> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>
>> options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
>>         ether 00:19:db:62:62:6a
>>         inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
>>         media: Ethernet autoselect (100baseTX <full-duplex>)
>>         status: active
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>         options=3<RXCSUM,TXCSUM>
>>
>> A gond, hogy nincs net a jail-en. Míg a jaileket futtató gépen megy a
>> névfeloldás és a net, a jailben egyik sem. Tűzfalnak pf-et használok, ami
>> így néz ki:
>>
>> int_if="em0"
>> icmp_types="echoreq"
>> public="195.228.156.104"
>>
>> www="172.20.0.1"
>> mysql="172.20.0.2"
>> mail="172.20.0.3"
>> apache="172.20.0.4"
>>
>> # Tell if we return or drop blocked packets in general
>> set block-policy return
>>
>> # don't filter on the loopback interface
>> set skip on lo0
>>
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>> scrub in all
>>
>> # NAT a helyi halora
>> nat on $int_if from 172.20.0.0/24 to any -> $public
>>
>> # www.stageline.hu
>> # FTP
>> rdr pass on $int_if proto tcp from any to any port 21 -> $www
>> rdr pass on $int_if proto tcp from any to any port 30000:31000 -> $www
>>
>> # HTTP
>> rdr pass on $int_if proto tcp from any to any port 80 -> $www
>> rdr pass on $int_if proto tcp from any to any port 443 -> $www
>>
>> # mail.stageline.hu
>> # SMTP Postfix
>> rdr pass on $int_if proto tcp from any to any port 995 -> $mail
>> rdr pass on $int_if proto tcp from any to any port 587 -> $mail
>> rdr pass on $int_if proto tcp from any to any port 25 -> $mail
>> rdr pass on $int_if proto tcp from any to any port 465 -> $mail
>>
>> # Dovecot
>> rdr pass on $int_if proto tcp from any to any port 993 -> $mail
>> rdr pass on $int_if proto tcp from any to any port 110 -> $mail
>>
>> # APACHE FTP
>> rdr pass on $int_if proto tcp from any to any port 28 -> $apache port 21
>> rdr pass on $int_if proto tcp from any to any port 33000:34000 -> $apache
>>
>> # Set Antispoof rule
>> antispoof for $int_if
>>
>> # Block all incoming traffic
>> block in all
>>
>> # activate spoofing protection for all interfaces
>> block in quick from urpf-failed
>>
>> # Allow all outgoing traffic
>> pass out all keep state
>>
>> # Allow ping
>> pass in inet proto icmp all icmp-type $icmp_types
>>
>> # Allow incoming
>> pass in proto tcp to $int_if port {1985}
>>
>> #vpn
>> pass in quick proto esp from any to any
>> pass in quick proto ah from any to any
>> pass in quick proto ipencap from any to any
>> pass in quick proto udp from any port = 500 to any port = 500
>> pass in quick on gif0 from any to any
>>
>>
>> Valami ötlet esetleg? Eddig működött így. Éjjel újraraktam a rendszert,
>> most szeretném éleszteni de nem megy. Az ezjail az, ami új.
>>
>> --
>> Best Regards
>> Gábor Illó
>>
>
>
>
> --
> Best Regards
> Gábor Illó
>



-- 
Best Regards
Gábor Illó
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <http://datacast.hu/pipermail/bsd/attachments/20100604/98001ae3/attachment.html>

További információk a(z) BSD levelezőlistáról