|
|||
DMZ for two networks users...
I need to create a DMZ for 192.168.0.13 and 192.168.0.14.
Reading pf howto, I see the redirection context; it let me choose port forwarding for each masqueraded ip, but I need to pass in and pass out all to and from the two ip: I need that, only, these users skip firewall rules...except queueing rules. How can I do this? Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by maurobottone; 2nd June 2008 at 08:45 AM. |
|
|||
I try to explain better my whishes:
I've a ps3 that should be use UPNP for open the ports every time it needs for online gaming...now, I'm using "miniupnpd", but I wouldn't use it: is there any way for open ALL tcp and udp ports for ps3 for incoming and outgoing connections (192.168.0.13) in my pf.conf? Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
|||
Why forward all "TCP" ports? According to this, UDP 3658 is all you need.. additional ports are listed on that article, definitely a better idea to setup a pf(4) ruleset... UPnP and DMZ are drastically insecure.
EDIT: Scroll down to "NAT Type 3" in that article, that's where the related information is. Last edited by BSDfan666; 2nd June 2008 at 02:00 PM. |
|
|||
Thanks for answer BSDfan666,
I've already tried all writed in that article, but it doesn't work for me o_0 I always obtain "nat Type 3" and I don't able to play online...so, I would try to open ALL tcp and udp port only for one ip of my lan and see if "nat type" switch from 3 to 2. Can you let me know how?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." |
|
|||
If it didn't work, you probably didn't configure it properly... if you paste your pf configuration file here, perhaps one of our network gurus can help you fix the problem "without" blatantly setting up a DMZ?
|
|
|||
Here my conf:
---------- Code:
### macros int_if = "re0" ext_if = "pppoe0" tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }" udp_service = "{ 53, 5060 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }" bnd_upstream="480Kb" bnd_downstream="20480Kb" host_usr1="192.168.0.1" host_usr4="192.168.0.4" host_usr5="192.168.0.5" host_usr6="192.168.0.6" host_usr8="192.168.0.8" host_usr9="192.168.0.9" host_usr10="192.168.0.10" host_usr11="192.168.0.11" host_usr12="192.168.0.12" #host_usr13 = ps3 host host_usr13="192.168.0.13" host_usr14="192.168.0.14" host_usr15="192.168.0.15" host_usr16="192.168.0.16" ### options set optimization normal set block-policy return set loginterface $ext_if set skip on lo0 ### scrub scrub in all scrub out on $ext_if max-mss 1440 ### altq altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def } altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def } queue up_def bandwidth 100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 } queue up_host1 bandwidth 7% cbq(borrow) queue up_host4 bandwidth 10% cbq(borrow) queue up_host5 bandwidth 10% cbq(borrow) queue up_host6 bandwidth 10% cbq(borrow) queue up_host8 bandwidth 7% cbq(borrow) queue up_host9 bandwidth 7% cbq(borrow) queue up_host10 bandwidth 7% cbq(borrow) queue up_host11 bandwidth 7% cbq(borrow) queue up_host12 bandwidth 7% cbq(borrow) queue up_host13 bandwidth 7% cbq(borrow) queue up_host14 bandwidth 7% cbq(borrow) queue up_host15 bandwidth 7% cbq(borrow) queue up_host16 bandwidth 7% cbq(borrow) queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 } queue dn_host1 bandwidth 7% cbq(borrow) queue dn_host4 bandwidth 10% cbq(borrow) queue dn_host5 bandwidth 10% cbq(borrow) queue dn_host6 bandwidth 10% cbq(borrow) queue dn_host8 bandwidth 7% cbq(borrow) queue dn_host9 bandwidth 7% cbq(borrow) queue dn_host10 bandwidth 7% cbq(borrow) queue dn_host11 bandwidth 7% cbq(borrow) queue dn_host12 bandwidth 7% cbq(borrow) queue dn_host13 bandwidth 7% cbq(borrow) queue dn_host14 bandwidth 7% cbq(borrow) queue dn_host15 bandwidth 7% cbq(borrow) queue dn_host16 bandwidth 7% cbq(borrow) ### nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) #line for external program: miniupnpd (for ps3) * #rdr-anchor miniupnpd #redirect per anima, xaser ed enjoy rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 4001:4005 -> $host_usr1 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10 rdr pass on $ext_if proto udp from any to ($ext_if) port 3658 -> $host_usr13 ### filter rules block all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $int_if proto { tcp udp } from $host_usr1 to any queue up_host1 pass in on $int_if proto { tcp udp } from $host_usr4 to any queue up_host4 pass in on $int_if proto { tcp udp } from $host_usr5 to any queue up_host5 pass in on $int_if proto { tcp udp } from $host_usr6 to any queue up_host6 pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8 pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9 pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10 pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11 pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12 pass in on $int_if proto { tcp udp } from $host_usr13 to any queue up_host13 pass in on $int_if proto { tcp udp } from $host_usr14 to any queue up_host14 pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16 pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any pass out on $int_if proto { tcp udp } from any to $host_usr1 queue dn_host1 pass out on $int_if proto { tcp udp } from any to $host_usr4 queue dn_host4 pass out on $int_if proto { tcp udp } from any to $host_usr5 queue dn_host5 pass out on $int_if proto { tcp udp } from any to $host_usr6 queue dn_host6 pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8 pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9 pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10 pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11 pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12 pass out on $int_if proto { tcp udp } from any to $host_usr13 queue dn_host13 pass out on $int_if proto { tcp udp } from any to $host_usr14 queue dn_host14 pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16 pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if from any to $int_if:network #* #anchor miniupnpd ###Deny spoofing antispoof for $ext_if antispoof for $int_if Thanks for help
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat." Last edited by maurobottone; 2nd June 2008 at 03:01 PM. Reason: [code][/code] :D |
|
|||
Use [code][/code] tags please! That way formatting will be preserved.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How secure are wireless home networks? | JMJ_coder | General software and network | 37 | 18th April 2011 04:04 PM |
ssh key access non root users | carpman | FreeBSD Security | 7 | 12th August 2009 06:09 PM |
Prevent users from using proxy | bichumo | General software and network | 8 | 20th April 2009 01:00 PM |
Securing wifi networks with ipsec/ssh and openbsd | Oko | OpenBSD Security | 4 | 16th April 2009 07:32 AM |
TeX for troff users? | DrJ | Off-Topic | 0 | 2nd May 2008 09:29 PM |