problem s PF a binat

Michal Buchtik buchtajz at borsice.net
Fri May 18 21:31:16 CEST 2007

Previous message: problem s PF a binat
Next message: tcsh a spatna historie
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zkusil bych pouzit "tag"  u binat pravidla
a u "block" pridal kontrolu "tagged"
(detaily viz man pf.conf)

Pripadne jde u pravidla binat pouzit quick. pak by to ale asi chtelo u
binat specifikovat porty.

PS. Snad ma tenhle dotaz jeste platnost :)

Michal

Miroslav Lachman píše v so 28. 04. 2007 v 23:52 +0200:
> Na testovacim stroji mam vytvoreny interface lo1 a ne nem adresu jako 
> napriklad 10.11.12.13, na ktere bezi jail. Aby se na jail dalo 
> pristupovat i zvenku, je na skutecnem interface (vr0) IP alias a v 
> pravidlech PF pouzito presmerovani pomoc binat (stejne je to v pripade 
> pouziti rdr a nat misto binat).
> S tim jsem ale narazil na problem jak PF zachazi s pravidly filtru a 
> prekladu adres. Takovy packet se pak totiz pro PF filtr objevuje s tou 
> privatni IP adresou, ale na fyzickem interface, na kterem mam ovsem 
> privatni rozsahy blokovany.
> 
> Napada nekoho, jak upravit pravidla filtru / prekladu, aby takovy packet 
> nebyl zablokovan?
> 
> Zatim jsem to obesel tak, ze z tabulky privatnich rozsahu, ktere maji 
> byt na vnejsim interface zakazany, je IP adresa jailu vyjmuta touto 
> konstrukci:
> 
> table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 
> 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
> 
> Zkracena varianta pf.conf vypada nejak takto (je to testovaci stroj v 
> lokalni siti, ktera pouziva adresy 192.168.1.* - tyto adresy nejsou 
> povazovany v pravidlech za privatni, i kdyz tomu tak podle RFC je):
> 
> -------- pf.conf --------
> ext_if="vr0"
> 
> ext_addr_0="192.168.1.164"      # primary IP of ext. interface
> ext_tcp_0_inports="{ 21, 25, 80, 110, 143, 443, 465, 587, 993, 995 }" 
> # ports other then primary SSHd
> ext_ssh_0="22"  # port on which sshd listen
> # secondary IPs of ext. interface - allowing public services
> ext_addr_1="192.168.1.165"
> ext_tcp_1_inports="{ 22, 80, 443 }"
> jail_addr_0="10.11.12.13"
> jail_tcp_0_inports="{ 22, 80, 443 }"
> 
> unfiltered="{ lo0, lo1 }"
> 
> ## TABLES: similar to macros, but more flexible for many addresses.
> table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 
> 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
> table <czech_net> persist file "/etc/pf.czech_net.table"
> table <goodguys> persist file "/etc/pf.goodguys.table"
> table <badguys> persist file "/etc/pf.badguys.table"
> table <bruteforce> persist
> table <ssh_bruteforce> persist
> 
> set skip on $unfiltered
> 
> ## TRANSLATION
> binat on $ext_if from $jail_addr_0 to any -> $ext_addr_1
> 
> ## FILTER
> pass in quick proto tcp from <goodguys> to any port $ext_ssh_0 flags 
> S/SA keep state
> 
> # deny bad addresses from tables
> block in quick from { <badguys>, <bruteforce>, <ssh_bruteforce> } to any
> 
> block quick inet6 all
> block
> 
> # Deny all non routable trafic on external interface
> block quick on $ext_if inet from <reserved> to any
> block quick on $ext_if inet from any to <reserved>
> ### ^^^ v tomto pravidlu je problem ^^^^^^^^^^^^^^
> 
> antispoof quick for { $ext_if, lo0 }
> 
> pass in on $ext_if inet proto tcp from any to $jail_addr_0 port 
> $jail_tcp_0_inports flags S/SA keep state
> -------- pf.conf --------
> 
> 
> Je tedy jedinou moznosti vyjmuti IP adresy Jailu z tabulky <reserved>? 
> Nemuze pak za nejakych "divnych" okolnosti dojit k tomu, aby se takove 
> packety dostaly ven do site?
> 
> Bez muceni se priznavam, ze nejsem zadny expert na firewally a site, 
> takze si rad necham poradit. Pripadne muzu nekam vystavit kompletne cely 
> pf.conf - bude-li to potreba.
> 
> Mirek

Previous message: problem s PF a binat
Next message: tcsh a spatna historie
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list