|
|||
Pf.conf issues
I am trying to get Nat working but I think I don't see it :
below is an example of my config file: I do have apache running locally for now. # cat pf.conf web_serv_int = "192.168.7.232" web_serv_ext = "192.168.1.1" # gateways set skip on lo # block in all #block in quick on em0 from 192.168.0.0/16 to any block in quick on em0 from 172.16.0.0/12 to any block in quick on em0 from 10.0.0.0/8 to any block in quick on em0 from 127.0.0.0/8 to any block in quick on em0 from 0.0.0.0/8 to any block in quick on em0 from 169.254.0.0/16 to any block in quick on em0 from 192.0.2.0/24 to any block in quick on em0 from 204.152.64.0/23 to any block in quick on em0 from 224.0.0.0/3 to any #pass in quick on em0 from 192.168.1.0/24 to any #pass out all tcp_services = "{ ssh, smtp, www, domain, pop3, auth, pop3s }" udp_services = "{ domain }" #Network adress translations pass on em0 from $web_serv_int to any binat-to $web_serv_ext #Rules pass in proto tcp to port $tcp_services pass proto udp to port $udp_services pass out on em1 from 192.168.7.232 to any nat-to 192.168.1.1 #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 |
|
|||
Thanx for the quick reply.
my network topolopy is normally an out side adres with 64 ip-adresses. My firewall needs to be able to do NAT to serveral webservers (5), all different functions, 2 can by for instance load balanced in the future. Need to access a mailserver, sftpserver, and special ports. say for instance my external adres is : 84.12.34.1 till 84.12.34.63 My internal network behind the firewall is : 192.168.1.0/24 My NIC's are named : em0, em2, em3 and I have the lo0 interface. |
|
||||
Afcelie, you have set up a test system with addresses not mentioned in your description. It was not quite what I was looking for. I'm interested in the test environment, and what you intend there.
First, please edit your post, above, and remove your actual Internet addresses from your post. There is no reason to publish information that, combined with a configuration file (with possible errors) might provide a vector to an attacker. Second, post the following information, since perhaps I wasn't clear. 1) For your test environment: Either post the entire output of "ifconfig" from the OpenBSD system, or, post the IP addresses and netmasks for em0 and em1. That's really what I was looking for. 2) For your network topology, barely described in your prior thread and here, what does the layout look like? (Now, or intended) For example -- and in these examples, any of the individual firewalls can be multiple systems with CARP for redundancy: A) Did you intend to have your internet-exposed servers in a tiered DMZ, such as: Code:
{internet} [fw1] exposed servers [fw2] inner servers and user workstations Code:
{internet} [fw] all servers and workstations Code:
{internet} [fw] inner servers and workstations | exposed servers I hope you can see from this simple set of three alternative designs that what you've posted so far has not been of sufficient clarity, nor your questions specific. |
|
|||
I want to us a setting like this
Internet --> Fw (2 clustered) --> DMZ --> FW (2 Clustered) --> Trusted Zone. This is what is needs to be finally. We now hav setup with Ubuntu servers, but I think openBSD is more secure than Ubuntu and a bit lighter. So it is option A which is suitable. Here is my ifconfig also lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:d8:0a:35 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.1.231 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::20c:29ff:fed8:a35%em0 prefixlen 64 scopeid 0x1 em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:d8:0a:3f priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.7.231 netmask 0xffffff00 broadcast 192.168.7.255 inet6 fe80::20c:29ff:fed8:a3f%em1 prefixlen 64 scopeid 0x2 em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:d8:0a:49 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.9.231 netmask 0xffffff00 broadcast 192.168.9.255 inet6 fe80::20c:29ff:fed8:a49%em2 prefixlen 64 scopeid 0x3 enc0: flags=0<> priority: 0 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog |
|
||||
Thank you. Again, please edit your post above, and remove reference to your 84.x.x.x addresses, for reasons of limiting exposure to future attack.
--- Your test system has three /24 subnets, and uses the same address for the final octet: 192.168.{1,7,9}.231/24 -- and based on the test PF configuration you provided at the top of this thread, you are using subnet 1 as an external network, and subnet 7 as an internal network. Subnet 9 is not involved yet.
Code:
pass from 192.168.7.232 to any binat-to 192.168.1.1 Code:
pass out inet from 192.168.7.232 to any flags S/SA keep state nat-to 192.168.1.1 static-port pass in inet from any to 192.168.1.1 flags S/SA keep state rdr-to 192.168.7.232 Please let me know if you are still confused. If there is something that is not working correctly, please, be very clear when you ask again, and include details of what is not working. Last edited by jggimi; 3rd January 2011 at 09:19 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
PolicyKit.conf issues | teig | FreeBSD General | 4 | 10th June 2008 05:34 PM |
KVM issues | lil_elvis2000 | FreeBSD General | 5 | 9th June 2008 07:55 PM |