Hallo,
ich versuche ausgegende verbindungen zu natten und das ganze bei einer carp/pfsync konfiguration.
genattet werden sollen ausgehenden verbindungen von einen internen host (10.100.102.67) translated auf die virt. ip (carp1 = 192.168.129.1) der firewall.
der firewallbuilder generiert mir folgendes: (jetzt bitte keine diskussion warum ichs mit diesen tool mache)
die ssh verbindung üer die firewall hinweg klappt, aber wird eben nicht genattet.
wo ist mein fehler?
der tom
Nachtrag:
grob sieht das so aus:
ich versuche ausgegende verbindungen zu natten und das ganze bei einer carp/pfsync konfiguration.
genattet werden sollen ausgehenden verbindungen von einen internen host (10.100.102.67) translated auf die virt. ip (carp1 = 192.168.129.1) der firewall.
der firewallbuilder generiert mir folgendes: (jetzt bitte keine diskussion warum ichs mit diesen tool mache)
Code:
#
# Prolog script
#
set loginterface fxp0
#
# End of prolog script
#
#
# Scrub rules
#
scrub in all fragment reassemble no-df
scrub out all random-id
# Tables: (1)
table <tbl.r9999.d> { 10.100.199.1 , 192.168.129.1 , 10.100.199.2 , 192.168.129.2 , 192.168.127.2 }
#
# Rule 0 (NAT)
#
#
nat on carp1 proto {tcp udp icmp} from 10.100.102.67 to any -> 192.168.129.1
#
# Rule backup ssh access rule
# backup ssh access rule
#
pass in quick inet proto tcp from 10.100.105.1 to <tbl.r9999.d> port 22 keep state label "RULE 9999 -- ACCEPT "
#
# Rule 0 (lo0)
# loopback connects
#
pass in log quick on lo0 inet from any to any keep state label "RULE 0 -- ACCEPT "
pass out log quick on lo0 inet from any to any keep state label "RULE 0 -- ACCEPT "
#
# Rule 1 (fxp2)
# for pfsync
#
pass in log quick on fxp2 inet from any to any keep state label "RULE 1 -- ACCEPT "
pass out log quick on fxp2 inet from any to any keep state label "RULE 1 -- ACCEPT "
#
# Rule 2 (fxp0,fxp1)
# allowthe carp protokoll
#
pass in log quick on fxp0 inet proto 112 from any to any keep state label "RULE 2 -- ACCEPT "
pass out log quick on fxp0 inet proto 112 from any to any keep state label "RULE 2 -- ACCEPT "
pass in log quick on fxp1 inet proto 112 from any to any keep state label "RULE 2 -- ACCEPT "
pass out log quick on fxp1 inet proto 112 from any to any keep state label "RULE 2 -- ACCEPT "
#
# Rule 3 (global)
# managment services
#
pass in log quick inet proto tcp from 10.100.0.0/16 to any port 22 keep state label "RULE 3 -- ACCEPT "
pass out log quick inet proto tcp from 10.100.0.0/16 to any port 22 keep state label "RULE 3 -- ACCEPT "
#
# Rule 4 (global)
# pinging everywhere
#
pass in log quick inet proto icmp from any to any keep state label "RULE 4 -- ACCEPT "
pass out log quick inet proto icmp from any to any keep state label "RULE 4 -- ACCEPT "
#
# Rule 5 (global)
# Quickly reject attempts to connect
# to ident server to avoid SMTP delays
#
block return-rst in log quick inet proto tcp from any to any port 113 label "RULE 5 -- REJECT "
block return-rst out log quick inet proto tcp from any to any port 113 label "RULE 5 -- REJECT "
#
# Rule 6 (global)
#
#
block return-icmp in log quick inet from any to any label "deny_rest"
block return-icmp out log quick inet from any to any label "deny_rest"
#
# Rule fallback rule
# fallback rule
#
block in quick inet from any to any label "RULE 10000 -- DROP "
block out quick inet from any to any label "RULE 10000 -- DROP "
die ssh verbindung üer die firewall hinweg klappt, aber wird eben nicht genattet.
wo ist mein fehler?
der tom
Nachtrag:
grob sieht das so aus:
Code:
External LAN 192.168.129.0/24
^
|
| Master Firewall
------------------------------------
|Real external fxp1: 192.168.129.2 |
|CARP external carp1: 192.168.129.1 |fxp2 192.169.127.2
| |------------------>
|CARP internal carp0: 10.100.199.1 |
|Real internal: fxp0: 10.100.199.2 |
-------------------------------------
|
|
Internal LAN 10.100.0.0/16