PF definícia NAT -> jail
Vladimír Drgoňa
vlado at drgona.eu
Fri Feb 22 08:17:57 CET 2013
Skúšam rozbehať ezjail, všetko krásne funguje, problémy mám jedine s
packet filtrom. Skúšal som už všeličo, všetky návody na webe sú podobné,
ale nič z toho mi nejde. Naposledy som skúšal toto. Môj /etc/pf.conf:
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/30, \
overload <bruteforce> flush global)
table <mysqlforce> persist
block quick from <mysqlforce>
pass inet proto tcp from any to any port 3306 \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/30, \
overload <mysqlforce> flush global)
ext_if="em0"
jail_if="lo01"
IP_PUB="192.168.1.100"
IP_JAIL_WWW="10.1.1.1"
NET_JAIL="10.1.1.0/24"
PORT_WWW="{80,443}"
scrub in all
# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB
# WWW
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW ->
$IP_JAIL_WWW
Keď spustím kontrolu|pfctl -nf /etc/pf.conf|
dostanem takýto výsledok:
[root na doma /home/vlado]# pfctl -nf /etc/pf.conf
/etc/pf.conf:28: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:31: Rules must be in order: options, normalization,
queueing, translation, filtering
/etc/pf.conf:34: Rules must be in order: options, normalization,
queueing, translation, filtering
[root na doma /home/vlado]#
Blokovanie IP funguje, výpis som pridal iba preto, aby sa neposúvali riadky.
Neviem si s tým poradiť, kde robím chybu?
Za každé nakopnutie ďakujem
Vlado.
More information about the Users-l
mailing list