[BSD] ezjail

Illó Gábor stageline at gmail.com
2010. Jún. 4., P, 16:15:37 CEST 

Kiegészíteném a lentieket, hogy ezt sem hagytam ki:

/etc/rc.conf

gateway_enable="YES"

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
security.jail.allow_raw_sockets=1


2010/6/4 Illó Gábor <stageline at gmail.com>

> Sziasztok
>
> Van egy jail-em amely ezjail-el készült, ennek az ip címe 172.20.0.2
>
> A jaileket kiszolgáló rendszeren 1-től 5 ig lett beállítva alias a ifconfig
> em0 alias 172.20.0.2 netmask 255.255.255.0 paranccsal.
>
> Jaileket futtató fő rendszer ifconfig kimenete:
>
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>
> options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
>         ether 00:19:db:62:62:6a
>         inet 195.228.156.104 netmask 0xffffff00 broadcast 195.228.156.255
>         inet6 fe80::219:dbff:fe62:626a%em0 prefixlen 64 scopeid 0x1
>         inet 172.20.0.1 netmask 0xffffff00 broadcast 172.20.0.255
>         inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
>         inet 172.20.0.3 netmask 0xffffff00 broadcast 172.20.0.255
>         inet 172.20.0.4 netmask 0xffffff00 broadcast 172.20.0.255
>         inet 172.20.0.5 netmask 0xffffff00 broadcast 172.20.0.255
>         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=3<RXCSUM,TXCSUM>
>         inet 127.0.0.1 netmask 0xff000000
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
>         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
>
> A 172.20.0.2 ip című jail ifconfig kimenete:
>
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>
> options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
>         ether 00:19:db:62:62:6a
>         inet 172.20.0.2 netmask 0xffffff00 broadcast 172.20.0.255
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=3<RXCSUM,TXCSUM>
>
> A gond, hogy nincs net a jail-en. Míg a jaileket futtató gépen megy a
> névfeloldás és a net, a jailben egyik sem. Tűzfalnak pf-et használok, ami
> így néz ki:
>
> int_if="em0"
> icmp_types="echoreq"
> public="195.228.156.104"
>
> www="172.20.0.1"
> mysql="172.20.0.2"
> mail="172.20.0.3"
> apache="172.20.0.4"
>
> # Tell if we return or drop blocked packets in general
> set block-policy return
>
> # don't filter on the loopback interface
> set skip on lo0
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in all
>
> # NAT a helyi halora
> nat on $int_if from 172.20.0.0/24 to any -> $public
>
> # www.stageline.hu
> # FTP
> rdr pass on $int_if proto tcp from any to any port 21 -> $www
> rdr pass on $int_if proto tcp from any to any port 30000:31000 -> $www
>
> # HTTP
> rdr pass on $int_if proto tcp from any to any port 80 -> $www
> rdr pass on $int_if proto tcp from any to any port 443 -> $www
>
> # mail.stageline.hu
> # SMTP Postfix
> rdr pass on $int_if proto tcp from any to any port 995 -> $mail
> rdr pass on $int_if proto tcp from any to any port 587 -> $mail
> rdr pass on $int_if proto tcp from any to any port 25 -> $mail
> rdr pass on $int_if proto tcp from any to any port 465 -> $mail
>
> # Dovecot
> rdr pass on $int_if proto tcp from any to any port 993 -> $mail
> rdr pass on $int_if proto tcp from any to any port 110 -> $mail
>
> # APACHE FTP
> rdr pass on $int_if proto tcp from any to any port 28 -> $apache port 21
> rdr pass on $int_if proto tcp from any to any port 33000:34000 -> $apache
>
> # Set Antispoof rule
> antispoof for $int_if
>
> # Block all incoming traffic
> block in all
>
> # activate spoofing protection for all interfaces
> block in quick from urpf-failed
>
> # Allow all outgoing traffic
> pass out all keep state
>
> # Allow ping
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Allow incoming
> pass in proto tcp to $int_if port {1985}
>
> #vpn
> pass in quick proto esp from any to any
> pass in quick proto ah from any to any
> pass in quick proto ipencap from any to any
> pass in quick proto udp from any port = 500 to any port = 500
> pass in quick on gif0 from any to any
>
>
> Valami ötlet esetleg? Eddig működött így. Éjjel újraraktam a rendszert,
> most szeretném éleszteni de nem megy. Az ezjail az, ami új.
>
> --
> Best Regards
> Gábor Illó
>



-- 
Best Regards
Gábor Illó
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <http://datacast.hu/pipermail/bsd/attachments/20100604/845db778/attachment.html>

További információk a(z) BSD levelezőlistáról