zkusil bych pouzit "tag" u binat pravidla
a u "block" pridal kontrolu "tagged"
(detaily viz man pf.conf)
Pripadne jde u pravidla binat pouzit quick. pak by to ale asi chtelo u
binat specifikovat porty.
PS. Snad ma tenhle dotaz jeste platnost :)
Michal
Miroslav Lachman píše v so 28. 04. 2007 v 23:52 +0200:
> Na testovacim stroji mam vytvoreny interface lo1 a ne nem adresu jako
> napriklad 10.11.12.13, na ktere bezi jail. Aby se na jail dalo
> pristupovat i zvenku, je na skutecnem interface (vr0) IP alias a v
> pravidlech PF pouzito presmerovani pomoc binat (stejne je to v pripade
> pouziti rdr a nat misto binat).
> S tim jsem ale narazil na problem jak PF zachazi s pravidly filtru a
> prekladu adres. Takovy packet se pak totiz pro PF filtr objevuje s tou
> privatni IP adresou, ale na fyzickem interface, na kterem mam ovsem
> privatni rozsahy blokovany.
>
> Napada nekoho, jak upravit pravidla filtru / prekladu, aby takovy packet
> nebyl zablokovan?
>
> Zatim jsem to obesel tak, ze z tabulky privatnich rozsahu, ktere maji
> byt na vnejsim interface zakazany, je IP adresa jailu vyjmuta touto
> konstrukci:
>
> table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8,
> 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
>
> Zkracena varianta pf.conf vypada nejak takto (je to testovaci stroj v
> lokalni siti, ktera pouziva adresy 192.168.1.* - tyto adresy nejsou
> povazovany v pravidlech za privatni, i kdyz tomu tak podle RFC je):
>
> -------- pf.conf --------
> ext_if="vr0"
>
> ext_addr_0="192.168.1.164" # primary IP of ext. interface
> ext_tcp_0_inports="{ 21, 25, 80, 110, 143, 443, 465, 587, 993, 995 }"
> # ports other then primary SSHd
> ext_ssh_0="22" # port on which sshd listen
> # secondary IPs of ext. interface - allowing public services
> ext_addr_1="192.168.1.165"
> ext_tcp_1_inports="{ 22, 80, 443 }"
> jail_addr_0="10.11.12.13"
> jail_tcp_0_inports="{ 22, 80, 443 }"
>
> unfiltered="{ lo0, lo1 }"
>
> ## TABLES: similar to macros, but more flexible for many addresses.
> table <reserved> { 172.16.0.0/12, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8,
> 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, ! $jail_addr_0 }
> table <czech_net> persist file "/etc/pf.czech_net.table"
> table <goodguys> persist file "/etc/pf.goodguys.table"
> table <badguys> persist file "/etc/pf.badguys.table"
> table <bruteforce> persist
> table <ssh_bruteforce> persist
>
> set skip on $unfiltered
>
> ## TRANSLATION
> binat on $ext_if from $jail_addr_0 to any -> $ext_addr_1
>
> ## FILTER
> pass in quick proto tcp from <goodguys> to any port $ext_ssh_0 flags
> S/SA keep state
>
> # deny bad addresses from tables
> block in quick from { <badguys>, <bruteforce>, <ssh_bruteforce> } to any
>
> block quick inet6 all
> block
>
> # Deny all non routable trafic on external interface
> block quick on $ext_if inet from <reserved> to any
> block quick on $ext_if inet from any to <reserved>
> ### ^^^ v tomto pravidlu je problem ^^^^^^^^^^^^^^
>
> antispoof quick for { $ext_if, lo0 }
>
> pass in on $ext_if inet proto tcp from any to $jail_addr_0 port
> $jail_tcp_0_inports flags S/SA keep state
> -------- pf.conf --------
>
>
> Je tedy jedinou moznosti vyjmuti IP adresy Jailu z tabulky <reserved>?
> Nemuze pak za nejakych "divnych" okolnosti dojit k tomu, aby se takove
> packety dostaly ven do site?
>
> Bez muceni se priznavam, ze nejsem zadny expert na firewally a site,
> takze si rad necham poradit. Pripadne muzu nekam vystavit kompletne cely
> pf.conf - bude-li to potreba.
>
> Mirek
--
FreeBSD mailing list (users-l@freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l
