|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
||||
Quote:
Quote:
|
|
||||
The following may be "overkill" for many a SOHO pf implementation, but this motherboard comes with FOUR (4) embedded intel (em) NICs. It retails for approx. CAD$235. You may use either of, E3-1200 series XEON, or I3-2100 series CPU. (For price reference, a quad-port intel NIC is typically CAD$400+ by itself.)
The i3-2100 CPU is at a nice price point and provides more than enough punch for SOHO/SMB deployments. TYAN S5512 (S5512GM4NR) (http://www.tyan.com/support_download_cpu2.aspx?socketid=26) Why four is good -- one outside (red) interface, one inside (safe), one for WIFI AP, and one DMZ. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|||
You can get some nice Sparc boxes now on ebay for the price of that mobo. I have some Sun V210's and they come with 4 NICs. The only thing is they're like having a jet in your room. Loud, loud, loud!
__________________
BSDForums.org refugee #27 Multibooting with LILO |
|
||||
I'm having problems getting internal connections to servers by using URL's rather than IP addresses.
I've read the instructions here http://www.openbsd.org/faq/pf/rdr.html but still can't get it to work. I added the following line to /etc/inetd.conf Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 192.168.0.55 80 Code:
pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if Here is my complete pf.conf file: Code:
# macros int_if="xl0" ext_if="xl1" int_net="{ 192.168.0.0/24 }" whs="192.168.0.50" pc1="192.168.0.20" pc2="192.168.0.21" websrv="192.168.0.55" # options set block-policy drop set loginterface $ext_if set skip on lo # match rules match in all scrub (no-df) match out on egress inet from !(egress) to any nat-to (egress:0) # filter rules block in log pass out quick antispoof quick for { lo $int_if } # start internal connection pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if # end internal connection pass in on egress inet proto tcp to (egress) port 80 rdr-to $websrv synproxy state pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state pass in log on $int_if Am I making my firewall less secure by running inetd to accomplish this? I'm also not quite understanding what egress and (egress) mean. Does egress=$int_if (egress)=$ext_if Thanks. |
|
|||
RE: egress
http://en.wikipedia.org/wiki/Egress_filtering "(egress)" tells pf pf that the IP address of the egress NIC has a dynamic IP, so it could change. Plain "egress" is used when the IP address is fixed,.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
More generally, egress is an English word for "leaving".
The external interface on your firewall is added to the egress group, you can use the interface name directly instead though.. which is what I'd recommend. |
|
|||
No, that's not what it means.. and it's documented in pf.conf(5).
|
|
|||
Essentially what that rules means is match incoming IPv4 packets matching "any" source address (..you could put from any in that rule) to your external IP address (egress) on TCP port 443 (https) and redirect/rewrite/pass the packet to an internal private address on the same port.
Not sure why you're using synproxy, is it because someone mentioned it once? did you read the documentation to see if it was appropriate? Last edited by BSDfan666; 27th June 2011 at 04:57 PM. |
|
||||
I'm using synproxy because rocket357 suggested it might be a good idea since my 3Com router was constantly getting knocked offline due to syn-flood DoS attacks. Trying to do anything online these past six months has been an exercise in frustration because of the constant disconnections. Since I permanently switched over to my OpenBSD router six days ago I haven't experienced a single second of down time. Well, that's not entirely true, I had a few lockups on the BSD box on the first day but that was an over heating issue which was quickly solved. My BSD router is functioning beautifully with the firewall rule set I am using. Now I am trying to understand exactly what all the contents of of my pf.conf file mean and do. Unfortunately I'm one of those people who can read something a hundred times and it still might not sink in, but show me how to do something once and I'll remember it forever. The problem is trying to find the time to learn all this new stuff.
The problem I'm trying to solve now is how to connect to my internal web servers via URL rather than using the IP address of the box. I don't need to be able to do this, I just want to do this so that I can understand how it works. As I mentioned, I've read the instructions here http://www.openbsd.org/faq/pf/rdr.html and made the appropriate changes to my inetd.conf and pf.conf files but it still doesn't work. All my Google searches end up taking me to the same FAQ. Step by step this is what I did: 1. Add this line to inetd.conf Code:
127.0.0.1:5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 192.168.0.55 80 3. Add these lines to pf.conf Code:
int_net="{ 192.168.0.0/24 }" websrv="192.168.0.55" pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to 127.0.0.1 port 5000 pass in on $int_if proto tcp from $int_net to $ext_if port 80 rdr-to $websrv pass out on $int_if proto tcp to $websrv port 80 received-on $int_if nat-to $int_if 5. Test URL connection 6. Connection fails and I curse vehemently at my lack of knowledge of something that is probably so easy even a caveman could do it. I'm obviously over looking something in those instructions but I don't know what. |
|
||||
Your quest to refer by name has nothing to do with PF. It has to do with name resolution. See resolv.conf(5), and /etc/hosts. Optionally, you may eventually want a local domain name server.
|
|
||||
Quote:
Adding the appropriate line to the hosts file of my internal PC's has solved my problem. Thanks for that bump in the right direction. |
|
|||
If I understand you correctly, you want hosts on the internal network accessing your local server using the domain name?
As jggimi stated, a method of configuring this could be to have your DNS serve the internal address to clients on the Internet network.. however the following should be adequate to rewrite requests from your LAN to your external IP and replace them with the address of your internal service. Code:
match in on $int_if inet proto tcp from $int_if:network to (egress:0) \ port https rdr-to $websrv |
|
||||
Quote:
Code:
# macros int_if="xl0" ext_if="xl1" int_net="{ 192.168.0.0/24 }" whs="192.168.0.50" pc1="192.168.0.20" pc2="192.168.0.21" websrv="192.168.0.55" # options set block-policy drop set loginterface $ext_if set skip on lo # match rules match in all scrub (no-df) ## START NEW LINE ## match in on $int_if inet proto tcp from $int_if:network to (egress:0) port http rdr-to $websrv ## END NEW LINE ## match out on egress inet from !(egress) to any nat-to (egress:0) # filter rules block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp to (egress) port 80 rdr-to $websrv synproxy state pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state pass in log on $int_if |
|
|||
Nope, also in the future don't copy rules as-is.
|
|
||||
I've played around with that line changing in to out, different ports and destinations and it still won't let me connect to internal servers via domain names. My basic understanding of that rule tells me that it should work but it's not. It's little things like this that keep me up all night trying to figure it out rather than calling it quits and trying again tomorrow.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
3com 3c985B fiber card on openBSD | joshwade7 | OpenBSD General | 3 | 5th February 2010 09:29 PM |
OpenBSD amd64 or i386 for firewall/router | J65nko | OpenBSD General | 7 | 24th December 2009 09:06 PM |
DSL Router | Zvrk | NetBSD General | 1 | 18th June 2009 01:21 PM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |
Searching and replacing weird patterns on a file. | bigb89 | Programming | 8 | 6th December 2008 06:59 PM |