am285
Discouraged One
hi!
nach langer rumbastelei an meiner pf.conf hab' ich jetzt folgendes problem: nat funktioniert nicht richtig. d.h.: alles, was nicht über den transparenten squid oder den ftp-proxy rausgeht, geht nicht.
hier mal meine pf.conf:
wie gesagt: traffic, der über die beiden proxies rausgeht kommt durch; alles andere bleibt hängen.
gruß,
am285
[EDIT]
net.inet.ip.forwarding=1 ist natürlich gesetzt.
[/EDIT]
nach langer rumbastelei an meiner pf.conf hab' ich jetzt folgendes problem: nat funktioniert nicht richtig. d.h.: alles, was nicht über den transparenten squid oder den ftp-proxy rausgeht, geht nicht.
hier mal meine pf.conf:
Code:
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
###############################################################################
### VARIABLES ###
###############################################################################
# interfaces
local_if="lo0"
ext_if="vr1"
int_if="vr0"
all_private_networks = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
my_networks = "{ 10.0.1.0/24 }"
# hosts
localhost=127.0.0.1
centipede=10.0.1.1 # localhost
fujin=10.0.1.2 # fserv
# services
centipede_tcp_services = "{ 22, 25, 113 }"
fujin_tcp_services = "{ 80, 443, 993, 60020, 60021, 60022, 60023 }"
fujin_udp_services = "{ 60021, 60025 }"
# tables
table <RFC1918> const { !10.0.1.0/24,!10.0.2.0/24,0.0.0.0/8,1.0.0.0/8,2.0.0.0/8, \
5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/8, \
37.0.0.0/8,39.0.0.0/8, 41.0.0.0/8,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8, \
58.0.0.0/8,59.0.0.0/8,70.0.0.0/8,71.0.0.0/8,72.0.0.0/8,73.0.0.0/8,74.0.0.0/8, \
75.0.0.0/8,76.0.0.0/8,77.0.0.0/8,78.0.0.0/8, 79.0.0.0/8,83.0.0.0/8, \
84.0.0.0/8,85.0.0.0/8,86.0.0.0/8,87.0.0.0/8,88.0.0.0/8,89.0.0.0/8,90.0.0.0/8, \
91.0.0.0/8,92.0.0.0/8,93.0.0.0/8,94.0.0.0/8,95.0.0.0/8,96.0.0.0/8,97.0.0.0/8, \
98.0.0.0/8,99.0.0.0/8,100.0.0.0/8,101.0.0.0/8,102.0.0.0/8,103.0.0.0/8, \
104.0.0.0/8,105.0.0.0/8,106.0.0.0/8,107.0.0.0/8,108.0.0.0/8,109.0.0.0/8, \
110.0.0.0/8,111.0.0.0/8,112.0.0.0/8,113.0.0.0/8,114.0.0.0/8,115.0.0.0/8, \
116.0.0.0/8,117.0.0.0/8,118.0.0.0/8,119.0.0.0/8,120.0.0.0/8,121.0.0.0/8, \
122.0.0.0/8,123.0.0.0/8,124.0.0.0/8,125.0.0.0/8,126.0.0.0/8,127.0.0.0/8, \
169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/8,175.0.0.0/8,176.0.0.0/8, \
177.0.0.0/8,178.0.0.0/8,179.0.0.0/8,180.0.0.0/8,181.0.0.0/8,182.0.0.0/8, \
183.0.0.0/8,184.0.0.0/8,185.0.0.0/8,186.0.0.0/8,187.0.0.0/8,189.0.0.0/8, \
190.0.0.0/8,192.0.2.0/24,192.168.0.0/16,197.0.0.0/8,198.18.0.0/15, \
223.0.0.0/8,224.0.0.0/3 }
table <spamd> persist
###############################################################################
### OPTIONS ###
###############################################################################
# be nice to others
set block-policy return
# statistics for extern interface
set loginterface $ext_if
# some timeouts
set timeout { tcp.first 120, tcp.opening 30, tcp.established 3600 }
set timeout { tcp.closing 120, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
# optimization
set optimization normal
# scrub all incoming packets and do some masquerading
scrub on $ext_if all random-id min-ttl 255 max-mss 1492 fragment reassemble
###############################################################################
### QUEUES ###
###############################################################################
# enable altq for traffic shaping
altq on $ext_if priq bandwidth 100Kb queue { q_prior, q_default }
queue q_prior priority 7
queue q_default priority 1 priq(default)
###############################################################################
### NAT & REDIRECT ###
###############################################################################
# standard nat for internal (and therefor secure) networks
nat on $ext_if from $int_if:network to any -> ($ext_if)
# enable ftp-proxy @ centipede
rdr on $int_if proto tcp from any to any port 21 -> \
$localhost port 8021
# enable spamd
rdr pass inet proto tcp from <spamd> to any \
port smtp -> $localhost port 8025
# transparent squid-proxy @ centipede
rdr on $int_if inet proto tcp from any to any port 80 -> \
$localhost port 3128
# transparent web-server @ fujin
rdr on $ext_if proto tcp from any to any port 80 -> \
$fujin port 80
# transparent secure-web-server @fujin
rdr on $ext_if proto tcp from any to any port 443 -> \
$fujin port 443
# transparent imaps-server @ fujin
rdr on $ext_if proto tcp from any to any port 993 -> \
$fujin port 993
###############################################################################
### BLOCKING & FILTERING ###
###############################################################################
# loopback traffic
antispoof log quick for lo0 inet
pass quick on $local_if
# modem traffic
pass in quick on $ext_if from 10.0.0.138 to any
pass out quick on $ext_if from any to 10.0.0.138
# block bad tcp-flags and prevent nmap scanning
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if proto tcp from any to any flags A/A
block in log quick on $ext_if proto tcp from any to any flags F/SFRA
block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP
# block illegal address-ranges on external interface
# needs some testing before going into serious action ;)
# block in log quick on $ext_if from { <RFC1918> } to any
# block out log quick on $ext_if from any to { <RFC1918> }
# block private networks from outside
block drop in quick on $ext_if from $all_private_networks to any
block drop out quick on $ext_if from any to $all_private_networks
# block and log everything by default
block return log on $ext_if all
# block everything that wants out, but doesn't seem to come from us
block out log quick on $ext_if from ! $ext_if to any
# open ports for permitted TCP services @ centipede
pass in on $ext_if inet proto tcp from any to \
($ext_if) port $centipede_tcp_services flags S/SA keep state
# also permit the redirects for TCP to fujin
pass in on $ext_if proto tcp from any to \
$fujin port $fujin_tcp_services flags S/SA synproxy state
# also permit the redirects for UDP
pass in on $ext_if proto udp from any to \
$fujin port $fujin_udp_services keep state
# allow all granted icmp requests
pass in inet proto icmp all icmp-type echoreq keep state
# allow traffic from inside the firewall
pass in on $int_if from $my_networks to any keep state
# engage the queues and pass traffic out
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_default, q_prior)
# engage the queues and pass traffic in
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_default, q_prior)
# engage squid as transparent proxy
pass in on $int_if inet proto tcp from any to $localhost \
port 3128 keep state
pass out on $ext_if inet proto tcp from any to any \
port www keep statewie gesagt: traffic, der über die beiden proxies rausgeht kommt durch; alles andere bleibt hängen.
gruß,
am285
[EDIT]
net.inet.ip.forwarding=1 ist natürlich gesetzt.
[/EDIT]
Zuletzt bearbeitet: