ipfw divert keep-state
Dan Lukes
dan at obluda.cz
Mon Jul 24 15:09:39 CEST 2006
VUlik at cz.soluziona.com wrote:
> Pomalicku sedivim, neb se mi nepodarilo efektivne rozchodit natovani do
> specificke destinace. Pokud mam state pravidlo (napr 17600) nedojde vubec
> k k divertu. Odeberu-li keep-state k natu dojde, ale zase je treba pred
> pravidlem deny established (04500) povolit explicitne zpatecni provoz
> vcetne stavu. Netusi nekdo jak to elegantne nastavit?
Moc tomu nerozumim - ale neni nahodou NAT na vstupu stavovym filtrem
sam o sobe ? (propousti "dovnitr" pouze pakety odpovidajici spojenim,
ktee byly korektne navazane "ven").
Jaky ma smysl prakticky totez delat jeste jednou IP filtrem ? A nema-li
to smysl, jak se mi v teto chvili zda, pak neni az tak prakvapive, ze to
nejde udelat elegantne - treba nikdo nepocital, ze by se to delalo vubec.
Navrhovane upravy:
> 01400 21 1080 divert 8668 tcp from
> 192.168.34.0/24,192.168.35.0/24,192.168.2.0/24 to
> 195.141.65.64/26,195.141.65.128/26 out via vlan1
^^^^
xmit
> 01500 29 1348 divert 8668 tcp from
> 195.141.65.64/26,195.141.65.128/26 to me in via vlan1
^^^
recv
> 02000 21 1080 allow tcp from me to
> 195.141.65.64/26,195.141.65.128/26 out via vlan1
^^^
xmit
> 04400 0 0 check-state
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cele pravidlo zbytecne, uchovavani stavu zajistuje NAT; nahradit
pravidlem, ktere pro vnitrni interface dovoli navrat prelozenych paketu
a nezapomenotu na vlastni komunikaci stroje, tedy, pokud nejakou timto
smerem ma
> 04500 979 41748 deny log logamount 10000000 tcp from any to any
> established
>
> 17600 12 600 allow tcp from 192.168.2.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via em3
^^^
recv
> keep-state
^^^^^^^^^^
zbytecne, zajistuje NAT
> 17700 0 0 allow tcp from 192.168.22.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via vlan22
^^^
recv
> keep-state
^^^^^^^^^^
zbytecne, zajistuje NAT
> 17800 0 0 allow tcp from 192.168.34.0/24 to
^^
23
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via tap0
^^^
recv
> keep-state
^^^^^^^^^^
zbytecne, zajistuje NAT
> 17900 0 0 allow tcp from 192.168.35.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via tap0
> keep-state
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cele zbytecne, nahrazeno upravenym pravidlem 17800
A ja bych jeste k 17600-17800 pridal 'setup', ale to trochu zalezi na
tom, koho pred kym vlastne chranime.
Tato rada je poskytnuta AS-IS bez jakychkoliv zaruk ...
Dan
More information about the Users-l
mailing list