Re: PF Help!

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: openbsd@sikurezza.org
Soggetto: Re: PF Help!
Mittente: dario billo
Data: 12 Apr 2003 19:12:35 -0000

Non va perchè dovrebbe "uscire e rientrare" :-)
metti nel file hosts dei client interni l'indirizzo ed il relativo nome 
di ogni server. Il problema è dato dal fatto che la procedura di 
connessione non gli torna. Di solito è così:
- il client richiede al dns l'ip del server http a cui si deve collegare
- il dns restituisce al client l'ip
- il client si collega
nel tuo caso succede invece questo:
- il client richiede al dns l'ip del server http a cui si deve collegare
- il dns restituisce al client l'ip (x es 1.2.3.4)
- il client prova a collegarsi all'ip, che poi altro non è che l'if 
esterna del tuo gw, e fa uscire la connessione attraverso il gw.
In sostanza, le cose dovrebbero essere 2:
1 - O il dns ti restituisce l'ip interno alla rete (impossibile)
2 - O metti l'ip del server nel file hosts. Tale file viene letto (di 
solito) prima di un'interrrogazione a  dns, quindi il tuo sys sa dove 
andare a trovare il server nella lan

So che mi sono spiegato da cani, ma se lo fai risolvi il problema. Ciao
 
agorin@tin.it wrote:

>Chiedo lumi a goony, o a chiunque mi possa aiutare, relativamente a un problema
>che non riesco a risolvere...
>
>In altre parole non ne vengo fuori.
>
>Ho installato un firewall PF - OPENBSD 3.2 ad un amico che ha dei siti web
>"in casa". Ho recuperato in giro un po' di esempi e comandi e la cosa sembrava
>funzionare
>(non sono un esperto di PF ne' di networking)... C'è un unico grande problema:
>non riesce a vedere i "propri" siti! Riesce a navigare (il natting funziona),
>i siti interni vengono visti dall'esterno, ma non ha visibilità dei siti
>interni!
>
>Non capisco il perchè... Ti allego lo script... Per favore, datemi una mano...
>
>Vi ringrazio già da ora !
>
>P.S.: Al Webbit ci sarò sicuramente e seguiro i talk su OPENBSD (La prima
>copia l'avevo acquiestata l'anno scorso durante la manifestazione!).
>
>Ecco il PF.CONF (gli indirizzi sono fittizzi):
>
>#
># Interface:
># lo0 - loopback
># rl0 - external to router (INTERNET)
># rl1 - internal to private network
>#
># Filtering policy ordering:
># + Block everything unless there are permit (pass) rules
># - Permit all loopback packets to flow freely
># - Permit all internal network packets to flow freely
># - Permit individual type of service to flow freely to outside world:
># ftp
># smtp
># whois
># dns
># http/https
># pop3
># traceroute
># ping
># dhclient
># + Since there are no permit(pass) rules at this stage, everything
># else is blocked!
>#
># share and enjoy,
>#
># hoang@muine.org
># July 9, 2002
>#
>
># ---------------------------------------------------------------------------
># Declare interfaces
># ---------------------------------------------------------------------------
>LoIf="lo0"
>ExtIf="rl0"
>IntIf="rl1"
>
># ---------------------------------------------------------------------------
># Web server IP address (internal)
># ---------------------------------------------------------------------------
>WWWIP="10.x.x.20/32"
>
># ---------------------------------------------------------------------------
># Firewall IP address (external)
># ---------------------------------------------------------------------------
>FRWL="80.x.x.1/32"
>
># ---------------------------------------------------------------------------
># Clients (internal)
># ---------------------------------------------------------------------------
>PC1="10.x.x.10/32"
>
># ---------------------------------------------------------------------------
># ---------------------------------------------------------------------------
># Interface: all
># Resolve overlapping IP fragments. Fragments are cached and reassembled
>by
># pf before a packet is received by its destinations. This will protect
>
># machines with less secure stacks behind it from fragmentation attacks.
># ---------------------------------------------------------------------------
>scrub in all
>
># ---------------------------------------------------------------------------
># Natting and redirection rules.
># ---------------------------------------------------------------------------
>nat on rl0 from 10.x.x.20/32 to any -> 80.x.x.2
>nat on rl0 from 10.x.x.0/8 to any -> 80.x.x.1
>
>rdr on rl0 proto tcp from any to 80.x.x.2/32 port 80 -> 10.x.x.20 port
>80
>rdr on rl0 proto tcp from any to 80.x.x.2/32 port 21 -> 10.x.x.20 port
>21
>
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
># Interface: all
># Block all incoming and outgoing packets unless they're allowed later.
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>block in log all
>block out log all
>
># ---------------------------------------------------------------------------
># Interface: $LoIf
># Allow loopback to flow freely.
># ---------------------------------------------------------------------------
>pass in quick on $LoIf all
>pass out quick on $LoIf all
># ---------------------------------------------------------------------------
>
># ---------------------------------------------------------------------------
># Interface: $IntIf
># Allow internal traffic to flow freely.
># ---------------------------------------------------------------------------
>pass in quick on $IntIf all
>pass out quick on $IntIf all
># ---------------------------------------------------------------------------
>
># ---------------------------------------------------------------------------
># Interface: $ExtIf
># Allow _internal_ and fw initiated connections from hosts behind NAT to
>
># outside world.
># ---------------------------------------------------------------------------
># [passive ftp client to outside world step 1]
>pass out quick on $ExtIf proto tcp from any to any port = 21 flags S keep
>state
># [telnet to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 23 flags S keep
>state
># [smtp to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 25 flags S keep
>state
># [whois to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 43 flags S keep
>state
># [domain to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 53 flags S keep
>state
>pass out quick on $ExtIf proto udp from any to any port = 53 keep state
>
># [http to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 80 flags S keep
>state
># [pop3 to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 110 flags S keep
>state
># [https to outside world]
>pass out quick on $ExtIf proto tcp from any to any port = 443 flags S keep
>state
># [passive ftp to outside world step 2 where the FTP server decides which
>port
># for ftp data back]
>pass out quick on $ExtIf proto tcp from any to any port > 1023 flags S keep
>state
># [traceroute to outside world 1st stage: probing...man traceroute(8)]
>pass out quick on $ExtIf proto udp from any to any port 33434 >< 33525 keep
>state
># [ping to outside world]
>pass out quick on $ExtIf proto icmp from any to any keep state
># [dialpad and probably others require opening high udp ports]
>pass out quick on $ExtIf proto udp from any to any keep state
># ---------------------------------------------------------------------------
># Allow _external_ initiated connections from outside world to hosts behind
># NAT and fw.
># ---------------------------------------------------------------------------
># [bootpc to fw]
>pass in quick on $ExtIf proto udp from any to any port = 68 keep state
># [traceroute to internal host 2nd stage: receiving error code of icmp-type
>3
># (destination unreachable) and icmp-type 11 (time exceeded)]
>pass in quick on $ExtIf inet proto icmp from any to any icmp-type 3 keep
>state
>pass in quick on $ExtIf inet proto icmp from any to any icmp-type 11 keep
>state
># [active ftp]
>pass in quick on $ExtIf proto tcp from any to $ExtIf port > 49151 flags
>S keep state
>
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
># Interface: $ExtIf
># Since there are no permit(pass) rules at this stage, everything else is
>
># blocked as last matching rules apply.
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
># Andrea:
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>#
># Impostazioni WWW:
>#
>pass in quick on $ExtIf inet proto tcp from any to $WWWIP port=80 keep state
>
>pass out quick on $ExtIf inet proto tcp from $WWWIP port=80 to any keep
>state
>#
># Impostazioni FTP:
>#
>pass in quick on $ExtIf inet proto tcp from any to $WWWIP port=21 keep state
>pass out quick on $ExtIf inet proto tcp from $WWWIP port=21 to any keep
>state
>#
># Impostazioni SSH lato Internet:
>#
>pass in quick on $ExtIf inet proto tcp from any to $FRWL port=22 keep state
>pass out quick on $ExtIf inet proto tcp from $FRWL port=22 to any keep state
>#
># +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>________________________________________________________
>http://www.sikurezza.org - Italian Security Mailing List
>
>
>
>  
>



________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

In risposta a:
- PF Help!, agorin

Data:
- precedente: Re: Cambiare MAC, goony
- successivo: sparc64, cristian
- indice

Argomento:
- precedente: PF Help!, agorin
- successivo: Re: PF Help!, Fausto Napolitano
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005