problem s PF a binat
Miroslav Lachman
000.fbsd at quip.cz
Sat Apr 28 23:52:53 CEST 2007
Na testovacim stroji mam vytvoreny interface lo1 a ne nem adresu jako
napriklad 10.11.12.13, na ktere bezi jail. Aby se na jail dalo
pristupovat i zvenku, je na skutecnem interface (vr0) IP alias a v
pravidlech PF pouzito presmerovani pomoc binat (stejne je to v pripade
pouziti rdr a nat misto binat).
S tim jsem ale narazil na problem jak PF zachazi s pravidly filtru a
prekladu adres. Takovy packet se pak totiz pro PF filtr objevuje s tou
privatni IP adresou, ale na fyzickem interface, na kterem mam ovsem
privatni rozsahy blokovany.
Napada nekoho, jak upravit pravidla filtru / prekladu, aby takovy packet
nebyl zablokovan?
Zatim jsem to obesel tak, ze z tabulky privatnich rozsahu, ktere maji
byt na vnejsim interface zakazany, je IP adresa jailu vyjmuta touto
konstrukci:
table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
Zkracena varianta pf.conf vypada nejak takto (je to testovaci stroj v
lokalni siti, ktera pouziva adresy 192.168.1.* - tyto adresy nejsou
povazovany v pravidlech za privatni, i kdyz tomu tak podle RFC je):
-------- pf.conf --------
ext_if="vr0"
ext_addr_0="192.168.1.164" # primary IP of ext. interface
ext_tcp_0_inports="{ 21, 25, 80, 110, 143, 443, 465, 587, 993, 995 }"
# ports other then primary SSHd
ext_ssh_0="22" # port on which sshd listen
# secondary IPs of ext. interface - allowing public services
ext_addr_1="192.168.1.165"
ext_tcp_1_inports="{ 22, 80, 443 }"
jail_addr_0="10.11.12.13"
jail_tcp_0_inports="{ 22, 80, 443 }"
unfiltered="{ lo0, lo1 }"
## TABLES: similar to macros, but more flexible for many addresses.
table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
table <czech_net> persist file "/etc/pf.czech_net.table"
table <goodguys> persist file "/etc/pf.goodguys.table"
table <badguys> persist file "/etc/pf.badguys.table"
table <bruteforce> persist
table <ssh_bruteforce> persist
set skip on $unfiltered
## TRANSLATION
binat on $ext_if from $jail_addr_0 to any -> $ext_addr_1
## FILTER
pass in quick proto tcp from <goodguys> to any port $ext_ssh_0 flags
S/SA keep state
# deny bad addresses from tables
block in quick from { <badguys>, <bruteforce>, <ssh_bruteforce> } to any
block quick inet6 all
block
# Deny all non routable trafic on external interface
block quick on $ext_if inet from <reserved> to any
block quick on $ext_if inet from any to <reserved>
### ^^^ v tomto pravidlu je problem ^^^^^^^^^^^^^^
antispoof quick for { $ext_if, lo0 }
pass in on $ext_if inet proto tcp from any to $jail_addr_0 port
$jail_tcp_0_inports flags S/SA keep state
-------- pf.conf --------
Je tedy jedinou moznosti vyjmuti IP adresy Jailu z tabulky <reserved>?
Nemuze pak za nejakych "divnych" okolnosti dojit k tomu, aby se takove
packety dostaly ven do site?
Bez muceni se priznavam, ze nejsem zadny expert na firewally a site,
takze si rad necham poradit. Pripadne muzu nekam vystavit kompletne cely
pf.conf - bude-li to potreba.
Mirek
More information about the Users-l
mailing list