URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID10
Нить номер: 4051
[ Назад ]

Исходное сообщение
"IPFilter. Открытие/закрытие портов"

Отправлено teapot , 12-Ноя-08 13:36 
Система FreeBSD 7.0. Установлен sendmail, squid 2.6, bind 9.4.2. IPFilter 4.1.28
У проси сервера только один интерфейс - bce0. Ему назначены 2 ip адреса, оба из локальной сети (прокси обслуживает 2 сети 192.168.1.0, 192.168.2.0) в инет он подключен через другой сервер (на стороне провайдера) с внешним IP, на нем порты 21, 22, 25, 53, 80, 110, 119, 143, 8081 открыты и перебрасываются на прокси.  Как правильно закрыть все ненужное снаружи, оставить только 25 и 53, при этом внутренним сетям разрешить доступ в инет через прокси(порт 8081)?

вот то что я пытался сделать - но от этого не пускает на прокси с локальной сети.

block in quick on bce0 from 0.0.0.0/7 to any
block in quick on bce0 from 2.0.0.0/8 to any
block in quick on bce0 from 5.0.0.0/8 to any
block in quick on bce0 from 10.0.0.0/8 to any
block in quick on bce0 from 23.0.0.0/8 to any
block in quick on bce0 from 27.0.0.0/8 to any
block in quick on bce0 from 31.0.0.0/8 to any
block in quick on bce0 from 70.0.0.0/7 to any
block in quick on bce0 from 72.0.0.0/5 to any
block in quick on bce0 from 83.0.0.0/8 to any
block in quick on bce0 from 84.0.0.0/6 to any
block in quick on bce0 from 88.0.0.0/5 to any
block in quick on bce0 from 96.0.0.0/3 to any
block in quick on bce0 from 127.0.0.0/8 to any
block in quick on bce0 from 128.0.0.0/16 to any
block in quick on bce0 from 128.66.0.0/16 to any
block in quick on bce0 from 169.254.0.0/16 to any
block in quick on bce0 from 172.16.0.0/12 to any
block in quick on bce0 from 191.255.0.0/16 to any
block in quick on bce0 from 192.0.0.0/19 to any
block in quick on bce0 from 192.0.48.0/20 to any
block in quick on bce0 from 192.0.64.0/18 to any
block in quick on bce0 from 192.0.128.0/17 to any
block in quick on bce0 from 197.0.0.0/8 to any
block in quick on bce0 from 201.0.0.0/8 to any
block in quick on bce0 from 204.152.64.0/23 to any
block in quick on bce0 from 219.0.0.0/8 to any
block in quick on bce0 from 220.0.0.0/6 to any
block in quick on bce0 from 224.0.0.0/3 to any

pass in quick on lo0 all
pass out quick on lo0 all

pass out quick on bse0 from 192.168.17.254 to any
pass out quick on bse0 from 192.168.50.254 to any

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 22
pass in quick on bse0 from 192.168.50.0/24 to 192.168.50.254 port = 22
block in quick on bse0 from any to 192.168.17.254 port = 22
block in quick on bse0 from any to 192.168.50.254 port = 22

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 21
pass in quick on bse0 from 192.168.50.0/24 to 192.168.50.254 port = 21
block in quick on bse0 from any to 192.168.17.254 port = 21
block in quick on bse0 from any to 192.168.50.254 port = 21

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 23
pass in quick on bse0 from 192.168.50.0/24 to 192.168.50.254 port = 23
block in quick on bse0 from any to 192.168.17.254 port = 23
block in quick on bse0 from any to 192.168.50.254 port = 23

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 10000
pass in quick on bse0 from 192.168.50.0/24 to 192.168.17.254 port = 10000
block in quick on bse0 from any to 192.168.17.254 port = 10000
block in quick on bse0 from any to 192.168.50.254 port = 10000

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 8081
pass in quick on bse0 from 192.168.50.0/24 to 192.168.17.254 port = 8081
block in quick on bse0 from any to 192.168.17.254 port = 8081
block in quick on bce0 from any to 192.168.50.254 port = 8081

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 587
pass in quick on bse0 from 192.168.50.0/24 to 192.168.17.254 port = 587
block in quick on bse0 from any to 192.168.17.254 port = 587
block in quick on bce0 from any to 192.168.50.254 port = 587

pass in quick on bse0 from 192.168.17.0/24 to 192.168.17.254 port = 110
pass in quick on bse0 from 192.168.50.0/24 to 192.168.17.254 port = 110
block in quick on bse0 from any to 192.168.17.254 port = 110
block in quick on bce0 from any to 192.168.50.254 port = 110

block in quick on bse0 from any to 192.168.17.254 port = 143
block in quick on bce0 from any to 192.168.50.254 port = 143

pass in quick on bse0 proto tcp from any to 192.168.17.254 port = 25
pass in quick on bse0 proto tcp from any to 192.168.50.254 port = 25

pass in quick on bce0 proto tcp from any to 192.168.17.254 port = 53 flags S keep state
pass in quick on bce0 proto udp from any to 192.168.17.254 port = 53 keep state
pass in quick on bce0 proto tcp from any to 192.168.50.254 port = 53 flags S keep state
pass in quick on bce0 proto udp from any to 192.168.50.254 port = 53 keep state

pass in quick on bse0 proto icmp from 192.168.17.0/24 to any icmp-type 0
pass in quick on bse0 proto icmp from 192.168.50.0/24 to any icmp-type 11
pass in quick on bse0 proto icmp from any to 192.168.17.254 icmp-type 0
pass in quick on bse0 proto icmp from any to 192.168.17.254 icmp-type 11
pass in quick on bse0 proto icmp from any to 192.168.50.254 icmp-type 0
pass in quick on bse0 proto icmp from any to 192.168.50.254 icmp-type 11
block in quick on bce0 proto icmp from any to any

block in on bce0 all
block out on bce0 all

где ошибка???


Содержание

Сообщения в этом обсуждении
"IPFilter. Открытие/закрытие портов"
Отправлено teapot , 15-Ноя-08 12:06 
Методом проб и ошибок был достигнут рабочий вариант.


pass out quick on lo0 proto ip from 127.0.0.0/8 to 127.0.0.0/8
pass in quick on lo0 proto ip from 127.0.0.0/8 to 127.0.0.0/8
block in quick on lo0 proto ip from any to 127.0.0.0/8
pass out quick on bce0 from 192.168.17.254  to any
pass out quick on bce0 from 192.168.50.254  to any
pass in quick on bce0 from 192.168.17.0 mask 255.255.255.0 to 192.168.17.254  port = 10000
pass in quick on bce0 from 192.168.50.0 mask 255.255.255.0 to 192.168.50.254  port = 10000
pass in quick on bce0 from 192.168.17.0 mask 255.255.255.0 to 192.168.17.254  port = 110
pass in quick on bce0 from 192.168.50.0 mask 255.255.255.0 to 192.168.50.254  port = 110
pass in quick on bce0 from any to 192.168.17.254  port = 8081
pass in quick on bce0 from any to 192.168.50.254 port = 8081
pass in quick on bce0 from 192.168.17.0 mask 255.255.255.0 to 192.168.17.254  port = 22
pass in quick on bce0 from 192.168.50.0 mask 255.255.255.0 to 192.168.50.254  port = 22
pass in quick on bce0 from any to 192.168.17.254  port = 25
pass in quick on bce0 from any to 192.168.50.254  port = 25
pass in quick on bce0 proto tcp from any port = 25 to 192.168.17.254
pass in quick on bce0 proto tcp from any port = 25 to 192.168.50.254
pass in quick on bce0 proto udp from any to 192.168.17.254  port = 53 keep frags
pass in quick on bce0 proto tcp from any to 192.168.17.254  port = 53 keep state keep frags
pass in quick on bce0 proto udp from any to 192.168.50.254  port = 53 keep frags
pass in quick on bce0 proto tcp from any to 192.168.50.254  port = 53 keep state keep frags
pass in quick on bse0 proto icmp from 192.168.17.0 mask 255.255.255.0 to any
pass in quick on bse0 proto icmp from 192.168.50.0 mask 255.255.255.0 to any
pass in quick on bse0 proto icmp from any to 192.168.17.254
pass in quick on bse0 proto icmp from any to 192.168.50.254
pass in quick on bce0 proto icmp from 192.168.17.0 mask 255.255.255.0 to 192.168.17.254 icmp-type echo
pass in quick on bce0 proto icmp from 192.168.50.0 mask 255.255.255.0 to 192.168.50.254 icmp-type echo
pass in quick on bce0 proto tcp from 192.168.17.0 mask 255.255.255.0 port = 8081 to 192.168.17.254 port = 8081
pass in quick on bce0 proto tcp from 192.168.50.0 mask 255.255.255.0 port = 8081 to 192.168.50.254 port = 8081
pass in quick on bce0 proto icmp from any to 192.168.17.254 icmp-type echorep
pass in quick on bce0 proto icmp from any to 192.168.50.254 icmp-type echorep
pass in quick on bce0 proto tcp from any port = 80 to 192.168.17.254
pass in quick on bce0 proto tcp from any port = 80 to 192.168.50.254
pass in quick on bce0 proto udp from any port = 53 to 192.168.17.254
pass in quick on bce0 proto udp from any port = 53 to 192.168.50.254
pass in quick on bce0 proto tcp from any port = 443 to 192.168.17.254
pass in quick on bce0 proto tcp from any port = 443 to 192.168.50.254
pass in quick on bce0 proto tcp from any port = 21 to 192.168.17.254
pass in quick on bce0 proto tcp from any port = 21 to 192.168.50.254
pass in quick on bce0 proto tcp from any port = 20 to 192.168.17.254
pass in quick on bce0 proto tcp from any port = 20 to 192.168.50.254
block out quick on bce0 from any to any
block in quick on bce0 from any to any