problem s PF a binat

Miroslav Lachman 000.fbsd at quip.cz
Sat Apr 28 23:52:53 CEST 2007


Na testovacim stroji mam vytvoreny interface lo1 a ne nem adresu jako 
napriklad 10.11.12.13, na ktere bezi jail. Aby se na jail dalo 
pristupovat i zvenku, je na skutecnem interface (vr0) IP alias a v 
pravidlech PF pouzito presmerovani pomoc binat (stejne je to v pripade 
pouziti rdr a nat misto binat).
S tim jsem ale narazil na problem jak PF zachazi s pravidly filtru a 
prekladu adres. Takovy packet se pak totiz pro PF filtr objevuje s tou 
privatni IP adresou, ale na fyzickem interface, na kterem mam ovsem 
privatni rozsahy blokovany.

Napada nekoho, jak upravit pravidla filtru / prekladu, aby takovy packet 
nebyl zablokovan?

Zatim jsem to obesel tak, ze z tabulky privatnich rozsahu, ktere maji 
byt na vnejsim interface zakazany, je IP adresa jailu vyjmuta touto 
konstrukci:

table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }

Zkracena varianta pf.conf vypada nejak takto (je to testovaci stroj v 
lokalni siti, ktera pouziva adresy 192.168.1.* - tyto adresy nejsou 
povazovany v pravidlech za privatni, i kdyz tomu tak podle RFC je):

-------- pf.conf --------
ext_if="vr0"

ext_addr_0="192.168.1.164"      # primary IP of ext. interface
ext_tcp_0_inports="{ 21, 25, 80, 110, 143, 443, 465, 587, 993, 995 }" 
# ports other then primary SSHd
ext_ssh_0="22"  # port on which sshd listen
# secondary IPs of ext. interface - allowing public services
ext_addr_1="192.168.1.165"
ext_tcp_1_inports="{ 22, 80, 443 }"
jail_addr_0="10.11.12.13"
jail_tcp_0_inports="{ 22, 80, 443 }"

unfiltered="{ lo0, lo1 }"

## TABLES: similar to macros, but more flexible for many addresses.
table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
table <czech_net> persist file "/etc/pf.czech_net.table"
table <goodguys> persist file "/etc/pf.goodguys.table"
table <badguys> persist file "/etc/pf.badguys.table"
table <bruteforce> persist
table <ssh_bruteforce> persist

set skip on $unfiltered

## TRANSLATION
binat on $ext_if from $jail_addr_0 to any -> $ext_addr_1

## FILTER
pass in quick proto tcp from <goodguys> to any port $ext_ssh_0 flags 
S/SA keep state

# deny bad addresses from tables
block in quick from { <badguys>, <bruteforce>, <ssh_bruteforce> } to any

block quick inet6 all
block

# Deny all non routable trafic on external interface
block quick on $ext_if inet from <reserved> to any
block quick on $ext_if inet from any to <reserved>
### ^^^ v tomto pravidlu je problem ^^^^^^^^^^^^^^

antispoof quick for { $ext_if, lo0 }

pass in on $ext_if inet proto tcp from any to $jail_addr_0 port 
$jail_tcp_0_inports flags S/SA keep state
-------- pf.conf --------


Je tedy jedinou moznosti vyjmuti IP adresy Jailu z tabulky <reserved>? 
Nemuze pak za nejakych "divnych" okolnosti dojit k tomu, aby se takove 
packety dostaly ven do site?

Bez muceni se priznavam, ze nejsem zadny expert na firewally a site, 
takze si rad necham poradit. Pripadne muzu nekam vystavit kompletne cely 
pf.conf - bude-li to potreba.

Mirek



More information about the Users-l mailing list