ipfw divert keep-state

Dan Lukes dan at obluda.cz
Mon Jul 24 15:09:39 CEST 2006


VUlik at cz.soluziona.com wrote:
>  Pomalicku sedivim, neb se mi nepodarilo efektivne rozchodit natovani do
> specificke destinace. Pokud mam state pravidlo (napr 17600) nedojde vubec
> k k divertu. Odeberu-li keep-state k natu dojde, ale zase je treba pred
> pravidlem deny established (04500) povolit explicitne zpatecni provoz
> vcetne stavu. Netusi nekdo jak to elegantne nastavit?

	Moc tomu nerozumim - ale neni nahodou NAT na vstupu stavovym filtrem 
sam o sobe ? (propousti "dovnitr" pouze pakety odpovidajici spojenim, 
ktee byly korektne navazane "ven").

	Jaky ma smysl prakticky totez delat jeste jednou IP filtrem ? A nema-li 
to smysl, jak se mi v teto chvili zda, pak neni az tak prakvapive, ze to 
nejde udelat elegantne - treba nikdo nepocital, ze by se to delalo vubec.

	Navrhovane upravy:

> 01400      21       1080 divert 8668 tcp from
> 192.168.34.0/24,192.168.35.0/24,192.168.2.0/24 to
> 195.141.65.64/26,195.141.65.128/26 out via vlan1
                                          ^^^^
					 xmit

> 01500      29       1348 divert 8668 tcp from
> 195.141.65.64/26,195.141.65.128/26 to me in via vlan1
					      ^^^
                                               recv

> 02000      21       1080 allow tcp from me to
> 195.141.65.64/26,195.141.65.128/26 out via vlan1
                                          ^^^
                                          xmit

> 04400       0          0 check-state
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   cele pravidlo zbytecne, uchovavani stavu zajistuje NAT; nahradit 
pravidlem, ktere pro vnitrni interface dovoli navrat prelozenych paketu 
a nezapomenotu na vlastni komunikaci stroje, tedy, pokud nejakou timto 
smerem ma

> 04500     979      41748 deny log logamount 10000000 tcp from any to any
> established
> 
> 17600      12        600 allow tcp from 192.168.2.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via em3
                                                                   ^^^
                                                                   recv
> keep-state
   ^^^^^^^^^^
   zbytecne, zajistuje NAT

> 17700       0          0 allow tcp from 192.168.22.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via vlan22
                                                                   ^^^
                                                                   recv
> keep-state
   ^^^^^^^^^^
   zbytecne, zajistuje NAT

> 17800       0          0 allow tcp from 192.168.34.0/24 to
                                                        ^^
                                                        23
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via tap0
                                                                   ^^^
                                                                   recv
> keep-state
   ^^^^^^^^^^
   zbytecne, zajistuje NAT

> 17900       0          0 allow tcp from 192.168.35.0/24 to
> 195.141.65.64/26,195.141.65.128/26 dst-port 80,443,3002,3003 in via tap0
> keep-state
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   cele zbytecne, nahrazeno upravenym pravidlem 17800


	A ja bych jeste k 17600-17800 pridal 'setup', ale to trochu zalezi na 
tom, koho pred kym vlastne chranime.

	Tato rada je poskytnuta AS-IS bez jakychkoliv zaruk ...

						Dan




More information about the Users-l mailing list