forum.opennet.ru

Составление сообщения

Исходное сообщение

"запуск PF после получения IP"
Отправлено sv_igor, 05-Мрт-10 18:05

>1. читайте мануал - ситуация не новая
Что именно там читать? там есть гдето информация как запустить pf после получения DHCP?
>2. покажите правила
хммм, а зачем-то правила?
Ладно вот держите
#-------------------------
# Variables and Macros
#-------------------------
# interfaces
inet_if = "tun0"
ext_if = "xl0"
int_if = "em0"
# Block connections
connblk = "synproxy state ( max-src-conn-rate 5/60, overload <BRUTEFORCERS> flush global )"
icmp_types="{ echoreq, unreach }"
#-------------------------
# ip addresses
#-------------------------
extnet = "{ 10.0.0.0/8, 192.168.252.0/24 }"
lannet = "{ 192.168.0.0/24, 192.168.2.0/24 }"
ext_ip = "195.хх.хх.хх"
server = "192.168.0.1"
private_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 \
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 224.0.0.0/4 }"
#--------------------------
# Tables
#--------------------------
table <uaix> persist file "/etc/pf/prefixes.txt"
table <BRUTEFORCERS> persist
#-------------------------
# Ports
#-------------------------
sshlhc = "52222"
sshserver = "53232"
tcp_ports = "{ smtp, pop3, ftp, ftp-data, domain, 8339, 3333 }"
udp_ports = "{ domain, smtp, ftp, ftp-data }"
#-------------------------
# Options
#-------------------------
# Default policy
set block-policy return
# Type of optimization
#set optimization normal
# State-policy
#set state-policy floating
# skip pf on lo0 interface
set skip on lo0
#timeout to tcp packets
set timeout { frag 10, tcp.established 3600 }
# Normaliztion for all interfaces
scrub in all
#-------------------------
# Queue & Speed Control
#-------------------------
#%A
#%Q
#--------------------------
# NAT & Redirect
#--------------------------
# Nat from local net to inet
nat on $inet_if from $lannet to any -> $ext_ip
# Nat from local net to ext_net
nat on $ext_if from $lannet to $extnet -> ($ext_if)
# Redirect ports
# For Active FTP sessions
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to ! (self) port 21 -> 127.0.0.1 port 8021
# to server ssh
rdr proto tcp from any to $ext_ip port $sshserver -> $server port ssh
# to igor
rdr proto tcp from any to $ext_ip port 44990 -> 192.168.0.8 port rdp
rdr proto tcp from any to $ext_ip port 28188 -> 192.168.0.8 port 28188
# to virtual terminal server1
rdr proto tcp from any to $ext_ip port 44991 -> 192.168.0.17 port 3389
# to virtual terminal server2
rdr proto tcp from any to $ext_ip port 44992 -> 192.168.0.9 port 3389
#--------------------------
# Filter Rules
#--------------------------
# Block all
block all
# IGMP IPTV
pass quick on { $ext_if $int_if } proto igmp allow-opts no state
pass quick proto udp from 192.168.252.0/24 to any allow-opts no state
# Antispoof
antispoof quick for { lo0, $int_if, $ext_if, $inet_if }
# Block all from inet to private networks via internet interface
block drop in quick on $inet_if from $private_nets to any
# Block all from lan with non-lan ip's
# !!!!!!!!!!!!!!!! UNCOMMENT when lhc should be in 192.168.0.0/24 network
#block drop in log quick on $int_if from !$int_if:network to any
# Block all spammers
block drop log quick from <BRUTEFORCERS>
#-----------------------
# In Connections
#-----------------------
# pass all connections from our lan to server
pass in on $int_if from $lannet to $int_if keep state
# pass tcp ports from inet
pass in proto tcp to $inet_if port $tcp_ports keep state
# pass for ssh lhc
pass in log proto tcp to $inet_if port $sshlhc $connblk
# pass udp ports from inet
pass in proto udp to $inet_if port $udp_ports keep state
# for ftp
pass in on $inet_if proto tcp from any to any port > 49151 keep state
# allow from lannet to extnet
pass in from $lannet to $extnet keep state
# allow pings from inet
pass in on $inet_if inet proto icmp from any to $inet_if icmp-type $icmp_types keep state
# block smtp connections to inet
block in quick log on $int_if proto tcp from $lannet to ! $int_if port 25
#--------------------------
# Out Connections
#--------------------------
#for lan
pass out from $int_if to $lannet keep state
#for tenet
pass out from $ext_if to $extnet keep state
#for inet
pass out from $inet_if keep state
#--------------------------
# Rules for rdr
#--------------------------
# Allow rpd to corei5
pass in log on $inet_if proto tcp from any to 192.168.0.8 port rdp keep state
# rdp to virtual server1
pass in log on $inet_if proto tcp from any to 192.168.0.17 port rdp keep state
# rdp to virtual server2
pass in log on $inet_if proto tcp from any to 192.168.0.9 port rdp keep state
# Allow rpd to 192.168.0.1 ssh
pass in log on $inet_if proto tcp from any to 192.168.0.1 port ssh $connblk
# For FTP PROXY
anchor "ftp-proxy/*"
#--------------------------
# тут даем инет юзерам
#--------------------------
Собственно на момент запуска (при pf_enable="YES") он ругается что нет айпишника у ext_if
где еще можно посмотреть какие флаги можно дать скушать pf ? pf_flags

Исходное сообщение
"запуск PF после получения IP" Отправлено sv_igor, 05-Мрт-10 18:05
>1. читайте мануал - ситуация не новая Что именно там читать? там есть гдето информация как запустить pf после получения DHCP? >2. покажите правила хммм, а зачем-то правила? Ладно вот держите #------------------------- # Variables and Macros #------------------------- # interfaces inet_if = "tun0" ext_if = "xl0" int_if = "em0" # Block connections connblk = "synproxy state ( max-src-conn-rate 5/60, overload <BRUTEFORCERS> flush global )" icmp_types="{ echoreq, unreach }" #------------------------- # ip addresses #------------------------- extnet = "{ 10.0.0.0/8, 192.168.252.0/24 }" lannet = "{ 192.168.0.0/24, 192.168.2.0/24 }" ext_ip = "195.хх.хх.хх" server = "192.168.0.1" private_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 \ 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 224.0.0.0/4 }" #-------------------------- # Tables #-------------------------- table <uaix> persist file "/etc/pf/prefixes.txt" table <BRUTEFORCERS> persist #------------------------- # Ports #------------------------- sshlhc = "52222" sshserver = "53232" tcp_ports = "{ smtp, pop3, ftp, ftp-data, domain, 8339, 3333 }" udp_ports = "{ domain, smtp, ftp, ftp-data }" #------------------------- # Options #------------------------- # Default policy set block-policy return # Type of optimization #set optimization normal # State-policy #set state-policy floating # skip pf on lo0 interface set skip on lo0 #timeout to tcp packets set timeout { frag 10, tcp.established 3600 } # Normaliztion for all interfaces scrub in all #------------------------- # Queue & Speed Control #------------------------- #%A #%Q #-------------------------- # NAT & Redirect #-------------------------- # Nat from local net to inet nat on $inet_if from $lannet to any -> $ext_ip # Nat from local net to ext_net nat on $ext_if from $lannet to $extnet -> ($ext_if) # Redirect ports # For Active FTP sessions nat-anchor "ftp-proxy/" rdr-anchor "ftp-proxy/" rdr on $int_if proto tcp from any to ! (self) port 21 -> 127.0.0.1 port 8021 # to server ssh rdr proto tcp from any to $ext_ip port $sshserver -> $server port ssh # to igor rdr proto tcp from any to $ext_ip port 44990 -> 192.168.0.8 port rdp rdr proto tcp from any to $ext_ip port 28188 -> 192.168.0.8 port 28188 # to virtual terminal server1 rdr proto tcp from any to $ext_ip port 44991 -> 192.168.0.17 port 3389 # to virtual terminal server2 rdr proto tcp from any to $ext_ip port 44992 -> 192.168.0.9 port 3389 #-------------------------- # Filter Rules #-------------------------- # Block all block all # IGMP IPTV pass quick on { $ext_if $int_if } proto igmp allow-opts no state pass quick proto udp from 192.168.252.0/24 to any allow-opts no state # Antispoof antispoof quick for { lo0, $int_if, $ext_if, $inet_if } # Block all from inet to private networks via internet interface block drop in quick on $inet_if from $private_nets to any # Block all from lan with non-lan ip's # !!!!!!!!!!!!!!!! UNCOMMENT when lhc should be in 192.168.0.0/24 network #block drop in log quick on $int_if from !$int_if:network to any # Block all spammers block drop log quick from <BRUTEFORCERS> #----------------------- # In Connections #----------------------- # pass all connections from our lan to server pass in on $int_if from $lannet to $int_if keep state # pass tcp ports from inet pass in proto tcp to $inet_if port $tcp_ports keep state # pass for ssh lhc pass in log proto tcp to $inet_if port $sshlhc $connblk # pass udp ports from inet pass in proto udp to $inet_if port $udp_ports keep state # for ftp pass in on $inet_if proto tcp from any to any port > 49151 keep state # allow from lannet to extnet pass in from $lannet to $extnet keep state # allow pings from inet pass in on $inet_if inet proto icmp from any to $inet_if icmp-type $icmp_types keep state # block smtp connections to inet block in quick log on $int_if proto tcp from $lannet to ! $int_if port 25 #-------------------------- # Out Connections #-------------------------- #for lan pass out from $int_if to $lannet keep state #for tenet pass out from $ext_if to $extnet keep state #for inet pass out from $inet_if keep state #-------------------------- # Rules for rdr #-------------------------- # Allow rpd to corei5 pass in log on $inet_if proto tcp from any to 192.168.0.8 port rdp keep state # rdp to virtual server1 pass in log on $inet_if proto tcp from any to 192.168.0.17 port rdp keep state # rdp to virtual server2 pass in log on $inet_if proto tcp from any to 192.168.0.9 port rdp keep state # Allow rpd to 192.168.0.1 ssh pass in log on $inet_if proto tcp from any to 192.168.0.1 port ssh $connblk # For FTP PROXY anchor "ftp-proxy/*" #-------------------------- # тут даем инет юзерам #-------------------------- Собственно на момент запуска (при pf_enable="YES") он ругается что нет айпишника у ext_if где еще можно посмотреть какие флаги можно дать скушать pf ? pf_flags

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, [email protected] (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

>>1. читайте мануал - ситуация не новая

> Что именно там читать? там есть гдето информация как запустить pf после 
> получения DHCP?
>>2. покажите правила

> хммм, а зачем-то правила?
> Ладно вот держите

> #------------------------- 
> # Variables and Macros 
> #-------------------------

> # interfaces 
> inet_if = "tun0" 
> ext_if = "xl0" 
> int_if = "em0" 
> # Block connections 
> connblk = "synproxy state ( max-src-conn-rate 5/60, overload <BRUTEFORCERS> flush global 
> )" 
> icmp_types="{ echoreq, unreach }"

> #------------------------- 
> # ip addresses 
> #-------------------------

> extnet = "{ 10.0.0.0/8, 192.168.252.0/24 }" 
> lannet = "{ 192.168.0.0/24, 192.168.2.0/24 }" 
> ext_ip = "195.хх.хх.хх" 
> server = "192.168.0.1" 
> private_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 \ 
>             
>     169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 224.0.0.0/4 }"

> #-------------------------- 
> # Tables 
> #--------------------------

> table <uaix> persist file "/etc/pf/prefixes.txt" 
> table <BRUTEFORCERS> persist

> #------------------------- 
> # Ports 
> #-------------------------

> sshlhc = "52222" 
> sshserver = "53232" 
> tcp_ports = "{ smtp, pop3, ftp, ftp-data, domain, 8339, 3333 }" 
> udp_ports = "{ domain, smtp, ftp, ftp-data }"

> #------------------------- 
> # Options 
> #-------------------------

> # Default policy 
> set block-policy return 
> # Type of optimization 
> #set optimization normal 
> # State-policy 
> #set state-policy floating 
> # skip pf on lo0 interface 
> set skip on lo0 
> #timeout to tcp packets 
> set timeout { frag 10, tcp.established 3600 } 
> # Normaliztion for all interfaces 
> scrub in all

> #------------------------- 
> # Queue & Speed Control 
> #-------------------------

> #%A

> #%Q

> #-------------------------- 
> # NAT & Redirect 
> #--------------------------

> # Nat from local net to inet 
> nat on $inet_if from $lannet to any -> $ext_ip 
> # Nat from local net to ext_net 
> nat on $ext_if from $lannet to $extnet -> ($ext_if) 
> # Redirect ports 
> # For Active FTP sessions 
> nat-anchor "ftp-proxy/*" 
> rdr-anchor "ftp-proxy/*" 
> rdr on $int_if proto tcp from any to ! (self) port 21 
> -> 127.0.0.1 port 8021 
> # to server ssh 
> rdr proto tcp from any to $ext_ip port $sshserver -> $server port 
> ssh 
> # to igor 
> rdr proto tcp from any to $ext_ip port 44990 -> 192.168.0.8 port 
> rdp 
> rdr proto tcp from any to $ext_ip port 28188 -> 192.168.0.8 port 
> 28188 
> # to virtual terminal server1 
> rdr proto tcp from any to $ext_ip port 44991 -> 192.168.0.17 port 
> 3389 
> # to virtual terminal server2 
> rdr proto tcp from any to $ext_ip port 44992 -> 192.168.0.9 port 
> 3389

> #-------------------------- 
> # Filter Rules 
> #--------------------------

> # Block all 
> block all 
> # IGMP IPTV 
> pass quick on { $ext_if $int_if } proto igmp allow-opts no state 
 
> pass quick proto udp from 192.168.252.0/24 to any allow-opts no state 
> # Antispoof 
> antispoof quick for { lo0, $int_if, $ext_if, $inet_if } 
> # Block all from inet to private networks via internet interface 
> block drop in quick on $inet_if from $private_nets to any 
> # Block all from lan with non-lan ip's 
> # !!!!!!!!!!!!!!!! UNCOMMENT when lhc should be in 192.168.0.0/24 network 
> #block drop in log quick on $int_if from !$int_if:network to any 
> # Block all spammers 
> block drop log quick from <BRUTEFORCERS>

> #----------------------- 
> # In Connections 
> #-----------------------

> # pass all connections from our lan to server 
> pass in on $int_if from $lannet to $int_if keep state 
> # pass tcp ports from inet 
> pass in proto tcp to $inet_if port $tcp_ports keep state 
> # pass for ssh lhc 
> pass in log proto tcp to $inet_if port $sshlhc $connblk 
> # pass udp ports from inet 
> pass in proto udp to $inet_if port $udp_ports keep state 
> # for ftp 
> pass in on $inet_if proto tcp from any to any port > 
> 49151 keep state 
> # allow from lannet to extnet 
> pass in from $lannet to $extnet keep state 
> # allow pings from inet 
> pass in on $inet_if inet proto icmp from any to $inet_if icmp-type 
> $icmp_types keep state 
> # block smtp connections to inet 
> block in quick log on $int_if proto tcp from $lannet to ! 
> $int_if port 25

> #-------------------------- 
> # Out Connections 
> #--------------------------

> #for lan 
> pass out from $int_if to $lannet keep state 
> #for tenet 
> pass out from $ext_if to $extnet keep state 
> #for inet 
> pass out from $inet_if keep state

> #-------------------------- 
> # Rules for rdr 
> #--------------------------

> # Allow rpd to corei5 
> pass in log on $inet_if proto tcp from any to 192.168.0.8 port 
> rdp keep state 
> # rdp to virtual server1 
> pass in log on $inet_if proto tcp from any to 192.168.0.17 port 
> rdp keep state 
> # rdp to virtual server2 
> pass in log on $inet_if proto tcp from any to 192.168.0.9 port 
> rdp keep state 
> # Allow rpd to 192.168.0.1 ssh 
> pass in log on $inet_if proto tcp from any to 192.168.0.1 port 
> ssh $connblk 
> # For FTP PROXY 
> anchor "ftp-proxy/*"

> #-------------------------- 
> # тут даем инет юзерам 
> #--------------------------

> Собственно на момент запуска (при pf_enable="YES") он ругается что нет айпишника у 
> ext_if

> где еще можно посмотреть какие флаги можно дать скушать pf ? pf_flags

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру