SV: VS: rdr på en bridge firewall

From: Tue Topholm (none@tt--device.dk.lh.bsd-dk.dk)
Date: Sun 04 Mar 2007 - 17:51:48 CET


Subject: SV: VS: rdr på en bridge firewall
Date: Sun, 4 Mar 2007 17:51:48 +0100
From: "Tue Topholm" <none@tt--device.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>

Tue Topholm skrev:
>> Quoting Tue Topholm (tt@device.dk):
>>> rdr on $int_if proto tcp from any to $min_ip port 80 -> \
>>> 66.249.93.104 port 80
>>>
>>> Men det virker ikke...

>Det passer ikke, den virker helt 100 ligesom den skal. Men den er måske
>skrevet forkert.
>
>Lidt info om dit netværk. Hele dit regelsæt. En forklaring af hvad du
>prøver på at få til at virke.
>
>Hvis de sender de 3 ting, så er der chance for hjælp.

Det står i de tidligere mails, men her komme de:

1. Firewallen kører som bridge.
2.

# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#Configurations
set limit states 500000
set optimization aggressive

#Tables
table <bruteforce> persist

# Interfaces
ext_if = "em0"
int_if = "em1"
fw_if = "em3"

#ICMP Types
icmp_types = "echoreq"

#Lukker alt på op det eksterne netkort
pass in quick on $ext_if all
pass out quick on $ext_if all

# Tillad trafik mellem de to interne segmenter.

pass quick on $int_if inet proto {tcp, udp, icmp} from $net1 to $net2 \
        flags S/SA keep state
pass quick on $int_if inet proto {tcp, udp, icmp} from $net2 to $net1 \
        flags S/SA keep state
pass quick on $int_if inet proto {tcp, udp, icmp} from $net3 to {$net1, $net2}\
        flags S/SA keep state
pass quick on $int_if inet proto {tcp, udp, icmp} from {$net1, $net2}\
        to $net3 flags S/SA keep state
pass quick on $int_if inet proto {tcp, udp, icmp} from {$net1, $net2, $net3}\
        to $net4 flags S/SA keep state
pass quick on $int_if inet proto {tcp, udp, icmp} from $net4 to\
        {$net1, $net2, $net3} flags S/SA keep state

#Blokere alt på det indre
block out log on $int_if all

#Block bruteforcers
block quick from <bruteforce>

#ICMP
pass quick on $int_if proto icmp from any to $ICMP icmp-type $icmp_types modulate state

#Lukker op for VNC
pass out log on $int_if proto tcp from any to $VNC port = 5900 flags S/SA modulate state
pass out on $int_if proto tcp from any to $Webdoxa port = 5960 flags S/SA modulate state

#SSH
pass out on $int_if proto tcp from any to $SSH port ssh flags S/SA modulate state

#SSH SECURE
pass out on $int_if proto tcp from any to $SSH_Secure port ssh\
        flags S/SA modulate state\
        (max-src-conn 15, max-src-conn-rate 5/3,\
        overload <bruteforce> flush global)

#WWW
pass out on $int_if proto tcp from any to $WWW port http flags S/SA modulate state

#DNS
pass out on $int_if proto tcp from any to $DNSSE port domain flags S/SA
pass out on $int_if proto udp from any to $DNSSE port domain
pass out on $int_if proto tcp from any to $DNSSE port 8053 flags S/SA modulate state
pass out on $int_if proto tcp from any to $DNS port 7948 flags S/SA modulate state

#Mysql
pass out on $int_if proto tcp from any to $MySQL port 3306 flags S/SA modulate state

#MSSQL
pass out on $int_if proto tcp from any to $MSSQL port 1433 flags S/SA modulate state

#FTP
pass out on $int_if proto tcp from any to $Ftp port 20 flags S/SA modulate state
pass out on $int_if proto tcp from any to $Ftp port ftp flags S/SA modulate state
pass out on $int_if proto tcp from any to $Ftp port 5100:5200 flags S/SA modulate state

#Mail
pass out on $int_if proto tcp from any to $Mail port 110 flags S/SA
pass out on $int_if proto tcp from any to $Mail port 25 flags S/SA
pass out on $int_if proto tcp from any to $Mail port 143 flags S/SA

#Remote_Desktop
pass out on $int_if proto tcp from any to $RemoteDesktop port 3389 flags S/SA modulate state

#Https
pass out on $int_if proto tcp from any to $Https port 443 flags S/SA modulate state

#Open alle ud
pass in on $int_if proto tcp all modulate state
pass in on $int_if proto udp all modulate state
pass in on $int_if proto icmp all modulate state

Jeg har udeladt alle macro'erne, da jeg ikke kan se det gør noget...

3. Det jeg gerne vil opnå er f.eks. at jeg kan route en af min eksterne ip'er videre til en ip, der ikke ligger på mit ip-range.

Så f.eks. vil jeg gerne route alle requests der kommer på min 212.242.230.111 til ip 66.249.93.104. (ved godt jeg kunne router port 80 videre i den ovenstående).

/Tue

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.6/709 - Release Date: 03-03-2007 08:12
 



This archive was generated by hypermail 2b30 : Sat 31 Mar 2007 - 23:00:01 CEST