[BSD] pf.conf beallitasa

2005. Jún. 24., P, 11:54:44 CEST

Sziasztok!

Uj vagyok a listan es uj vagyok a BSD-t hasznalok koreben is. Linuxos
tapasztalataim azonban mar vannak.

Tuzfalat epitek, OpenBSD 3.6-al. Problemam: a pf.conf-ban beallitott
redirectek nem mukodnek. Pl.: A gepen belulrol telnet 127.0.0.1 25 -re
valaszol a levelezo-szerver, de kivulrol a telnet <kartya IP cime> 25
-os kerest elutasitja. Mit kellene beallitsak?

Pali

A pf.conf a kovetkezo:

#	$OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Macros
#ext_if="ext0"
#int_if="int0"
ext_if="rl0"
int_if="ne3"
lop_if="lo0"
privates="{10.0.0.0/8 192.168.0.0/16 255.255.255.255/32}"
myprivates="{172.16.0.0/12}"
wins="{'Windows 95', 'Windows 98'}"

table <spamd> persist
table <spamd-white> persist

# Options

# Scrub
scrub in

# NAT/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
	-> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
	-> 127.0.0.1 port spamd

# Filter rules
block in
block in log quick on { $ext_if $int_if } from $privates
block out log quick on { $ext_if $int_if } to $privates
block in log quick on $ext_if from $myprivates
block out log quick on $ext_if to $myprivates

block in on { $ext_if $int_if } proto tcp from any os $wins to any port
smtp
pass out keep state

pass quick on { $lop_if $int_if }
antispoof quick for { $lop_if $int_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep
state
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

A pfctl kimenete:

FILTER RULES:
scrub in all fragment reassemble
block drop in all
block drop in log quick on rl0 inet from 10.0.0.0/8 to any
block drop in log quick on rl0 inet from 192.168.0.0/16 to any
block drop in log quick on rl0 inet from 255.255.255.255 to any
block drop in log quick on ne3 inet from 10.0.0.0/8 to any
block drop in log quick on ne3 inet from 192.168.0.0/16 to any
block drop in log quick on ne3 inet from 255.255.255.255 to any
block drop out log quick on rl0 inet from any to 10.0.0.0/8
block drop out log quick on rl0 inet from any to 192.168.0.0/16
block drop out log quick on rl0 inet from any to 255.255.255.255
block drop out log quick on ne3 inet from any to 10.0.0.0/8
block drop out log quick on ne3 inet from any to 192.168.0.0/16
block drop out log quick on ne3 inet from any to 255.255.255.255
block drop in log quick on rl0 inet from 172.16.0.0/12 to any
block drop out log quick on rl0 inet from any to 172.16.0.0/12
block drop in on rl0 proto tcp from any os "Windows 95" to any port =
smtp
block drop in on rl0 proto tcp from any os "Windows 98" to any port =
smtp
block drop in on ne3 proto tcp from any os "Windows 95" to any port =
smtp
block drop in on ne3 proto tcp from any os "Windows 98" to any port =
smtp
pass out all keep state
pass quick on lo0 all
pass quick on ne3 all
block drop in quick on ! lo0 inet from 127.0.0.0/8 to any
block drop in quick on ! lo0 inet6 from ::1 to any
block drop in quick on ! ne3 inet from 172.16.0.0/16 to any
block drop in quick inet from 172.16.254.251 to any
block drop in quick on ne3 inet6 from fe80::240:f6ff:fe4c:b1f9 to any
pass in on rl0 proto tcp from any to (rl0) port = ssh keep state
pass in on rl0 proto tcp from any to (rl0) port > 49151 user = 71 keep
state
pass in log on rl0 proto tcp from any to (rl0) port = smtp keep state
pass out log on rl0 proto tcp from (rl0) to any port = smtp keep state
No queue in use

-- 
Kochis, Pál Zoltán <pal at kochis.hu> <www.kochis.hu>
Visit the COSPA web site: <www.cospa-project.org>