[ Home | Liste | F.A.Q. | Risorse | Cerca... ]


[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]


Archivio: openbsd@sikurezza.org
Soggetto: PF Help!
Mittente: agorin
Data: 10 Apr 2003 22:46:43 -0000
Chiedo lumi a goony, o a chiunque mi possa aiutare, relativamente a un problema
che non riesco a risolvere...

In altre parole non ne vengo fuori.

Ho installato un firewall PF - OPENBSD 3.2 ad un amico che ha dei siti web
"in casa". Ho recuperato in giro un po' di esempi e comandi e la cosa sembrava
funzionare
(non sono un esperto di PF ne' di networking)... C'Ŕ un unico grande problema:
non riesce a vedere i "propri" siti! Riesce a navigare (il natting funziona),
i siti interni vengono visti dall'esterno, ma non ha visibilitÓ dei siti
interni!

Non capisco il perchŔ... Ti allego lo script... Per favore, datemi una mano...

Vi ringrazio giÓ da ora !

P.S.: Al Webbit ci sar˛ sicuramente e seguiro i talk su OPENBSD (La prima
copia l'avevo acquiestata l'anno scorso durante la manifestazione!).

Ecco il PF.CONF (gli indirizzi sono fittizzi):

#
# Interface:
# lo0 - loopback
# rl0 - external to router (INTERNET)
# rl1 - internal to private network
#
# Filtering policy ordering:
# + Block everything unless there are permit (pass) rules
# - Permit all loopback packets to flow freely
# - Permit all internal network packets to flow freely
# - Permit individual type of service to flow freely to outside world:
# ftp
# smtp
# whois
# dns
# http/https
# pop3
# traceroute
# ping
# dhclient
# + Since there are no permit(pass) rules at this stage, everything
# else is blocked!
#
# share and enjoy,
#
# hoang@muine.org
# July 9, 2002
#

# ---------------------------------------------------------------------------
# Declare interfaces
# ---------------------------------------------------------------------------
LoIf="lo0"
ExtIf="rl0"
IntIf="rl1"

# ---------------------------------------------------------------------------
# Web server IP address (internal)
# ---------------------------------------------------------------------------
WWWIP="10.x.x.20/32"

# ---------------------------------------------------------------------------
# Firewall IP address (external)
# ---------------------------------------------------------------------------
FRWL="80.x.x.1/32"

# ---------------------------------------------------------------------------
# Clients (internal)
# ---------------------------------------------------------------------------
PC1="10.x.x.10/32"

# ---------------------------------------------------------------------------
# ---------------------------------------------------------------------------
# Interface: all
# Resolve overlapping IP fragments. Fragments are cached and reassembled
by
# pf before a packet is received by its destinations. This will protect

# machines with less secure stacks behind it from fragmentation attacks.
# ---------------------------------------------------------------------------
scrub in all

# ---------------------------------------------------------------------------
# Natting and redirection rules.
# ---------------------------------------------------------------------------
nat on rl0 from 10.x.x.20/32 to any -> 80.x.x.2
nat on rl0 from 10.x.x.0/8 to any -> 80.x.x.1

rdr on rl0 proto tcp from any to 80.x.x.2/32 port 80 -> 10.x.x.20 port
80
rdr on rl0 proto tcp from any to 80.x.x.2/32 port 21 -> 10.x.x.20 port
21

# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
block in log all
block out log all

# ---------------------------------------------------------------------------
# Interface: $LoIf
# Allow loopback to flow freely.
# ---------------------------------------------------------------------------
pass in quick on $LoIf all
pass out quick on $LoIf all
# ---------------------------------------------------------------------------

# ---------------------------------------------------------------------------
# Interface: $IntIf
# Allow internal traffic to flow freely.
# ---------------------------------------------------------------------------
pass in quick on $IntIf all
pass out quick on $IntIf all
# ---------------------------------------------------------------------------

# ---------------------------------------------------------------------------
# Interface: $ExtIf
# Allow _internal_ and fw initiated connections from hosts behind NAT to

# outside world.
# ---------------------------------------------------------------------------
# [passive ftp client to outside world step 1]
pass out quick on $ExtIf proto tcp from any to any port = 21 flags S keep
state
# [telnet to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 23 flags S keep
state
# [smtp to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 25 flags S keep
state
# [whois to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 43 flags S keep
state
# [domain to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 53 flags S keep
state
pass out quick on $ExtIf proto udp from any to any port = 53 keep state

# [http to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 80 flags S keep
state
# [pop3 to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 110 flags S keep
state
# [https to outside world]
pass out quick on $ExtIf proto tcp from any to any port = 443 flags S keep
state
# [passive ftp to outside world step 2 where the FTP server decides which
port
# for ftp data back]
pass out quick on $ExtIf proto tcp from any to any port > 1023 flags S keep
state
# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $ExtIf proto udp from any to any port 33434 >< 33525 keep
state
# [ping to outside world]
pass out quick on $ExtIf proto icmp from any to any keep state
# [dialpad and probably others require opening high udp ports]
pass out quick on $ExtIf proto udp from any to any keep state
# ---------------------------------------------------------------------------
# Allow _external_ initiated connections from outside world to hosts behind
# NAT and fw.
# ---------------------------------------------------------------------------
# [bootpc to fw]
pass in quick on $ExtIf proto udp from any to any port = 68 keep state
# [traceroute to internal host 2nd stage: receiving error code of icmp-type
3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $ExtIf inet proto icmp from any to any icmp-type 3 keep
state
pass in quick on $ExtIf inet proto icmp from any to any icmp-type 11 keep
state
# [active ftp]
pass in quick on $ExtIf proto tcp from any to $ExtIf port > 49151 flags
S keep state

# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: $ExtIf
# Since there are no permit(pass) rules at this stage, everything else is

# blocked as last matching rules apply.
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Andrea:
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Impostazioni WWW:
#
pass in quick on $ExtIf inet proto tcp from any to $WWWIP port=80 keep state

pass out quick on $ExtIf inet proto tcp from $WWWIP port=80 to any keep
state
#
# Impostazioni FTP:
#
pass in quick on $ExtIf inet proto tcp from any to $WWWIP port=21 keep state
pass out quick on $ExtIf inet proto tcp from $WWWIP port=21 to any keep
state
#
# Impostazioni SSH lato Internet:
#
pass in quick on $ExtIf inet proto tcp from any to $FRWL port=22 keep state
pass out quick on $ExtIf inet proto tcp from $FRWL port=22 to any keep state
#
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List




[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005