|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
DMZ zone - I can't find a mistake...
Hello,
I must create a DMZ zone for my second local net: 192.168.1.0/16 this is my pf.conf: ---- Code:
### macros int_if = "re0" dmz_if = "re1" ext_if = "pppoe0" tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }" udp_service = "{ 53, 5060 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }" dmz_net = "192.168.1.0/16" bnd_upstream="512Kb" bnd_downstream="7168Kb" host_usr1="192.168.0.1" host_usr4="192.168.0.4" host_usr5="192.168.0.5" host_usr6="192.168.0.6" host_usr8="192.168.0.8" host_usr9="192.168.0.9" host_usr10="192.168.0.10" host_usr11="192.168.0.11" host_usr12="192.168.0.12" host_usr13="192.168.1.13" host_usr14="192.168.1.14" host_usr15="192.168.0.15" host_usr16="192.168.0.16" host_usr17="192.168.0.17" host_usr18="192.168.0.18" ### options set optimization normal set block-policy return set loginterface $ext_if set skip on lo0 ### scrub scrub in all scrub out on $ext_if max-mss 1440 ### altq altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def } altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def } queue up_def bandwidth 100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 up_host17 up_host18 } queue up_host1 bandwidth 13% cbq(borrow) queue up_host4 bandwidth 7% cbq(borrow) queue up_host5 bandwidth 7% cbq(borrow) queue up_host6 bandwidth 7% cbq(borrow) queue up_host8 bandwidth 6% cbq(borrow) queue up_host9 bandwidth 6% cbq(borrow) queue up_host10 bandwidth 6% cbq(borrow) queue up_host11 bandwidth 6% cbq(borrow) queue up_host12 bandwidth 6% cbq(borrow) queue up_host13 bandwidth 6% cbq(borrow) queue up_host14 bandwidth 6% cbq(borrow) queue up_host15 bandwidth 6% cbq(borrow) queue up_host16 bandwidth 6% cbq(borrow) queue up_host17 bandwidth 6% cbq(borrow) queue up_host18 bandwidth 6% cbq(borrow) queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 dn_host17 dn_host18} queue dn_host1 bandwidth 13% cbq(borrow) queue dn_host4 bandwidth 7% cbq(borrow) queue dn_host5 bandwidth 7% cbq(borrow) queue dn_host6 bandwidth 7% cbq(borrow) queue dn_host8 bandwidth 6% cbq(borrow) queue dn_host9 bandwidth 6% cbq(borrow) queue dn_host10 bandwidth 6% cbq(borrow) queue dn_host11 bandwidth 6% cbq(borrow) queue dn_host12 bandwidth 6% cbq(borrow) queue dn_host13 bandwidth 6% cbq(borrow) queue dn_host14 bandwidth 6% cbq(borrow) queue dn_host15 bandwidth 6% cbq(borrow) queue dn_host16 bandwidth 6% cbq(borrow) queue dn_host17 bandwidth 6% cbq(borrow) queue dn_host18 bandwidth 6% cbq(borrow) ### nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $dmz_if:network to any -> ($ext_if) #redirect per nucleo, anima, xaser ed enjoy rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {4001:4005, 1063:1083} -> $host_usr1 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10 ### filter rules block all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets block drop in quick on $ext_if from $dmz_net to any block drop out quick on $ext_if from any to $dmz_net pass in on $int_if proto { tcp udp } from $host_usr1 to any queue up_host1 pass in on $int_if proto { tcp udp } from $host_usr4 to any queue up_host4 pass in on $int_if proto { tcp udp } from $host_usr5 to any queue up_host5 pass in on $int_if proto { tcp udp } from $host_usr6 to any queue up_host6 pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8 pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9 pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10 pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11 pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12 pass in on $dmz_if proto { tcp udp } from $host_usr13 to any queue up_host13 pass in on $dmz_if proto { tcp udp } from $host_usr14 to any queue up_host14 pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host17 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host18 pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state pass in on $ext_if inet proto { tcp udp } from any to ($dmz_if) keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any pass in on $dmz_if all keep state pass out on $int_if proto { tcp udp } from any to $host_usr1 queue dn_host1 pass out on $int_if proto { tcp udp } from any to $host_usr4 queue dn_host4 pass out on $int_if proto { tcp udp } from any to $host_usr5 queue dn_host5 pass out on $int_if proto { tcp udp } from any to $host_usr6 queue dn_host6 pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8 pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9 pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10 pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11 pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12 pass out on $dmz_if proto { tcp udp } from any to $host_usr13 queue dn_host13 pass out on $dmz_if proto { tcp udp } from any to $host_usr14 queue dn_host14 pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host17 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host18 pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if from any to $int_if:network pass out on $dmz_if all keep state ###Deny spoofing antispoof for $ext_if antispoof for $dmz_if antispoof for $int_if I need to leave open ALL TCP AND UDP ports on the dmz network and this is not happen with this firewall... And, I can ping from server/router every ip of 192.168.1.0 but from pc of lan (in the 192.168.0.0) I can't ping a pc in the dmz...where is the mistake?! Thanks a lot.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by maurobottone; 22nd December 2008 at 08:21 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
K3b cannot find growisofs | maxrussell | FreeBSD General | 5 | 26th April 2009 12:20 PM |
hahaha noob mistake, file called -z... | michaelrmgreen | FreeBSD General | 8 | 9th December 2008 12:12 AM |
pkg inside non-global zone? | nacredata | Solaris | 2 | 30th September 2008 11:50 PM |
pkg_add g95;g95 x.f95: cannot find g95 | enpey | OpenBSD Packages and Ports | 8 | 27th August 2008 12:48 AM |
Zone problem | c0mrade | General software and network | 3 | 22nd June 2008 03:31 PM |