URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID10
Нить номер: 2314
[ Назад ]

Исходное сообщение
"PF in FreeBSD"
Отправлено WinniePooh , 22-Сен-05 12:46

При таком конфиге WWW через НАТ не работает
В чем может быть проблема.
Спасибо.
#########################
# Interfaces & Networks #
#########################
ext_if="vr0"
int_if="fxp0"
internal_net="10.10.1.0/24"
external_addr="195.x.x.y"
#############
# NAT Rules #
#############
nat on $ext_if from $int_if:network to any -> ($ext_if)
pass from {lo, $int_if:network} to any keep state
block in on $ext_if from any to any
####################################
# Allow SSH & ping #
####################################
pass in on $ext_if inet proto icmp from 195.x.x.x to $ext_if icmp-type 8 keep state
pass in on $ext_if inet proto tcp from 195.x.x.x to $ext_if port 22 keep state

##############
# Allow Mail #
##############
pass in on $ext_if inet proto tcp from any to $ext_if port 25 keep state

Содержание

PF in FreeBSD,Brainbug, 14:20 , 22-Сен-05
- PF in FreeBSD,WinniePooh, 15:46 , 22-Сен-05
  - PF in FreeBSD,Brainbug, 17:10 , 22-Сен-05

Сообщения в этом обсуждении

"PF in FreeBSD"
Отправлено Brainbug , 22-Сен-05 14:20

>При таком конфиге WWW через НАТ не работает
>В чем может быть проблема.
>Спасибо.
>
>#########################
># Interfaces & Networks #
>#########################
>
>ext_if="vr0"
>int_if="fxp0"
>internal_net="10.10.1.0/24"
>external_addr="195.x.x.y"
>
>#############
># NAT Rules #
>#############
>
>nat on $ext_if from $int_if:network to any -> ($ext_if)
>pass from {lo, $int_if:network} to any keep state
>
>block in on $ext_if from any to any
>
>####################################
># Allow SSH & ping
>         #
>####################################
>
>pass in on $ext_if inet proto icmp from 195.x.x.x to $ext_if icmp-type
>8 keep state
>pass in on $ext_if inet proto tcp from 195.x.x.x to $ext_if port
>22 keep state
>
>
>##############
># Allow Mail #
>##############
>
>pass in on $ext_if inet proto tcp from any to $ext_if port
>25 keep state
#########################
# Interfaces & Networks #
#########################
ext_if="vr0"
int_if="fxp0"
internal_net="10.10.1.0/24"
external_addr="195.x.x.y"

scrub in all
#############
# NAT Rules #
#############
nat on $ext_if from $internal_net to any -> ($ext_if)
####################################
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on $int_if proto { tcp } from $internal_net to any port { 80, 443 } keep state
pass out quick on $ext_if proto { tcp } from $external_addr to any port { 80,443 } keep state
####################################
# Allow SSH & ping                 #
####################################
pass in quick on $ext_if inet proto icmp from 195.x.x.x to $ext_if icmp-type 8 keep state
pass in quick on $ext_if inet proto tcp from 195.x.x.x to $ext_if port 22 keep state

##############
# Allow Mail #
##############
pass in quick on $ext_if inet proto tcp from any to $ext_if port 25 keep state
####################################
block in on $ext_if from any to any

"PF in FreeBSD"
Отправлено WinniePooh , 22-Сен-05 15:46

>
>pass in quick on lo0 all
>pass out quick on lo0 all
>pass in quick on $int_if proto { tcp } from $internal_net to
>any port { 80, 443 } keep state
>pass out quick on $ext_if proto { tcp } from $external_addr to
>any port { 80,443 } keep state
>
А эти правила разрешат входящий и исходящий трафик для броузания или они и апач если он у меня запущен откроют наружу???

"PF in FreeBSD"
Отправлено Brainbug , 22-Сен-05 17:10

>
>>
>>pass in quick on lo0 all
>>pass out quick on lo0 all
>>pass in quick on $int_if proto { tcp } from $internal_net to
>>any port { 80, 443 } keep state
>>pass out quick on $ext_if proto { tcp } from $external_addr to
>>any port { 80,443 } keep state
>>
>А эти правила разрешат входящий и исходящий трафик для броузания или они
>и апач если он у меня запущен откроют наружу???
#########################
# Interfaces & Networks #
#########################
ext_if="vr0"
int_if="fxp0"
internal_net="10.10.1.0/24"
external_addr="195.x.x.y"

1:scrub in all
#############
# NAT Rules #
#############
2:nat on $ext_if from $internal_net to any -> ($ext_if)
####################################
3:pass in quick on lo0 all
4:pass out quick on lo0 all
5:pass in quick on $int_if proto { tcp } from $internal_net to any port { 80, 443 } keep state
6:pass out quick on $ext_if proto { tcp } from $external_addr to any port { 80,443 } keep state
####################################
# Allow SSH & ping #
####################################
7:pass in quick on $ext_if inet proto icmp from 195.x.x.x to $ext_if icmp-type 8 keep state
8:pass in quick on $ext_if inet proto tcp from 195.x.x.x to $ext_if port 22 keep state

##############
# Allow Mail #
##############
9:pass in quick on $ext_if inet proto tcp from any to $ext_if port 25 keep state
####################################
10:block in on $ext_if from any to any
Voob6e po umol4aniju, po krainei mere v OpenBSD, pri aktivizacii pf filtra
ispolzujetca pass politika. Dumaju vo FreeBSD tak-zhe. A danije pravila
napisani dla block politiki po umol4aniju. V protivnom slu4aje net smisla v
3,4 i 5 pravilah. 6 pravilo togda budet nuzno tolko dla togo 4tobi sozdat
zapis v state table i razre6it vhoda6ij trafik ot web serverov, k toroim
obra6alis klienti, pri uslovii 4to ispolzujetca 10 pravilo i luboi vhoda6ij
trafik blokirujetca.
Luboi vhoda6ij trafik zapre6ajecta na vne6nem if 10 pravilom, posemu
Apache rabotat ne budet. NO dla vnutrennih obra6enij na vnutrennem if
Apache budet rabotat, pri uslovii 4to on nahoditca na 195.x.x.y ma6ine