[BSD] ezjail

[Illó Gábor]

Sziasztok

Van egy jail-em amely ezjail-el készült, ennek az ip címe 172.20.0.2

A jaileket kiszolgáló rendszeren 1-től 5 ig lett beállítva alias a ifconfig
em0 alias 172.20.0.2 netmask 255.255.255.0 paranccsal.

Jaileket futtató fő rendszer ifconfig kimenete:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:19:db:62:62:6a
        inet 195.228.156.104 netmask 0xffffff00 broadcast 195.228.156.255
        inet6 fe80::219:dbff:fe62:626a%em0 prefixlen 64 scopeid 0x1
        inet 172.20.0.1 netmask 0xffffff00 broadcast 172.20.0.255
        inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
        inet 172.20.0.3 netmask 0xffffff00 broadcast 172.20.0.255
        inet 172.20.0.4 netmask 0xffffff00 broadcast 172.20.0.255
        inet 172.20.0.5 netmask 0xffffff00 broadcast 172.20.0.255
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

A 172.20.0.2 ip című jail ifconfig kimenete:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:19:db:62:62:6a
        inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>

A gond, hogy nincs net a jail-en. Míg a jaileket futtató gépen megy a
névfeloldás és a net, a jailben egyik sem. Tűzfalnak pf-et használok, ami
így néz ki:

int_if="em0"
icmp_types="echoreq"
public="195.228.156.104"

www="172.20.0.1"
mysql="172.20.0.2"
mail="172.20.0.3"
apache="172.20.0.4"

# Tell if we return or drop blocked packets in general
set block-policy return

# don't filter on the loopback interface
set skip on lo0

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all

# NAT a helyi halora
nat on $int_if from 172.20.0.0/24 to any -> $public

# www.stageline.hu
# FTP
rdr pass on $int_if proto tcp from any to any port 21 -> $www
rdr pass on $int_if proto tcp from any to any port 30000:31000 -> $www

# HTTP
rdr pass on $int_if proto tcp from any to any port 80 -> $www
rdr pass on $int_if proto tcp from any to any port 443 -> $www

# mail.stageline.hu
# SMTP Postfix
rdr pass on $int_if proto tcp from any to any port 995 -> $mail
rdr pass on $int_if proto tcp from any to any port 587 -> $mail
rdr pass on $int_if proto tcp from any to any port 25 -> $mail
rdr pass on $int_if proto tcp from any to any port 465 -> $mail

# Dovecot
rdr pass on $int_if proto tcp from any to any port 993 -> $mail
rdr pass on $int_if proto tcp from any to any port 110 -> $mail

# APACHE FTP
rdr pass on $int_if proto tcp from any to any port 28 -> $apache port 21
rdr pass on $int_if proto tcp from any to any port 33000:34000 -> $apache

# Set Antispoof rule
antispoof for $int_if

# Block all incoming traffic
block in all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# Allow all outgoing traffic
pass out all keep state

# Allow ping
pass in inet proto icmp all icmp-type $icmp_types

# Allow incoming
pass in proto tcp to $int_if port {1985}

#vpn
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any


Valami ötlet esetleg? Eddig működött így. Éjjel újraraktam a rendszert, most
szeretném éleszteni de nem megy. Az ezjail az, ami új.

-- 
Best Regards
Gábor Illó
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <http://datacast.hu/pipermail/bsd/attachments/20100604/67e3713a/attachment.html>