[Bsd] Re: OpenBsd 4.5 yönlendirme problemi

Bilge KAAN Sun, 25 Apr 2010 23:46:28 -0700

Merhaba,

problemim siftemi tekrardan kurarken kapalı sistem olarak tasarlamıştım. 
block in log(all),
  block out log(all) kurallarıyla kapattığım için ping sorunu yaşadımı 
anladım. Şimdilik başlarına # işaretiyle yorum dışı bıraktım. Sorunum 
geçici olarak çözüldü ama yinede bu kurallar geçerliyken gözden 
kaçırdığım bir şeyler olmalı. icmp paketleriyle ilgili olabilir 
sanıyorsam. pf.conf dosyam aşağıdaki gibidir.



Teşekkürler...



##############<MAKROLAR>#########################
###-->>Interface tanimlari
ext_if = "dc0"
int_if = "re0"

###-->>IP Tanimlari
merkez_net = "192.168.10.0/24"
sube1_net = "192.168.11.0/24"
sube2_net = "192.168.19.0/24"
gw_sube1 = "192.168.10.5"
gw_sube2 = "192.168.10.11"
int_net = "192.168.10.4/32"
ext_net= "192.168.0.4/32"
dc_net = "192.168.10.1/32"
vm_net = "192.168.10.3/32"
squid_net = "192.168.10.4/32"
sql_server= "192.168.10.2/32"
exch_2007 = "192.168.10.1/32"
##############</MAKROLAR>########################



##############<BANT GENISLIGI AYARLARI>##########
#Bant genisligi ayarlarinin yapilacagi alan
##############</BANT GENISLIGI AYARLARI>#########

##############<YONLENDIRME AYARLARI>#############
### Redirected outbond traffic to use ftp-proxy ftp erisimi
rdr on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from any to any port ftp  -> lo0 port 8021


### nat and rdr for server
#rdr pass log(all) on $int_if proto tcp from $merkez_net to any port 80 
-> 127.0.01 port 3128
rdr pass log(all) on $int_if inet proto tcp from $merkez_net to any port 
www -> 127.0.0.1 port 3128
rdr pass log(all) on $int_if inet proto tcp from $sube1_net to any port 
www -> 127.0.0.1 port 3128
rdr pass log(all) on $int_if inet proto tcp from $sube2_net to any port 
www -> 127.0.0.1 port 3128


rdr on $ext_if proto tcp from any to $ext_net port 80 -> $dc_net port 80
rdr on $ext_if proto tcp from any to $ext_net port 443 -> $dc_net port 443

### ssh erisim
rdr on $ext_if proto tcp from any to $ext_net port 22 -> $int_net port 22
rdr on $ext_if proto tcp from any to $ext_net port 3389 -> $vm_net port 3389
rdr on $ext_if proto tcp from any to $ext_net port 21 -> $int_net port 21
rdr on $ext_if proto tcp from any to $ext_net port 20 -> $int_net port 20

### Nat for local network
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#nat on $ext_if from any to any -> $ext_net
nat on $ext_if from $squid_net to any -> $ext_net
#nat on $ext_if from $sql_server to any -> $int_net

#nat on $ext_if from $admin to any -> $ext_net
#nat on $ext_if from $gumruk to any -> $ext_net
nat on $ext_if from $dc_net to any -> $ext_net
#nat on $ext_if from any to any -> $ext_net
nat on $int_if from $sube1_net to any -> $int_net
nat on $ext_if from $sube1_net to any -> $ext_net
nat on $int_if from $sube2_net to any -> $int_net
nat on $ext_if from $sube2_net to any -> $ext_net


##############</YONLENDIRME AYARLARI>############

##############<FILTRE AYARLARI>###################

#block in log(all)
#block out log(all)

FTPProxyPorts="{55000><57000}"

### Servisler tanimlanir.
### Burada isim olarak yazilan servislerin /etc/services
### dosyasinda tanimli olmasi gerekir
olymposservices = "{ domain, www, https, smtp, pop3, pop3s, imap, imaps }"
exchangeservices = "{ kerberos, epmap }"

### non-routable networkler tanimlanir.
nonroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 0.0.0.0/8, 
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/32, 255.255.255.255/32 }"

scrub in all

### Loopback interface'e her turlu trafik icin izin verilir.
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
#antispoof quick for $ext_if inet
pass in quick on $int_if from $merkez_net to any
pass out quick on $int_if from any to $merkez_net
#pass in quick on $int_if from $sube1_net to any
#pass out quick on $int_if from any to $sube1_net

### redirected icmp paketleri engellenir.
block in log quick on $ext_if inet proto icmp from any to any icmp-type 
redir
### non routable networklerden gelen paketler engellenir.
block in quick on $ext_if from $nonroutable to any
### non routable networklere giden trafik kesilir.
block out quick on $ext_if from any to $nonroutable
### icmp echo vs icin izin verilir.
pass in quick on $ext_if inet proto icmp from any to any
### izin verilenler disindaki icmp paketleri engellenir.
block in log quick on $ext_if inet proto icmp from any to any

###Proxy rules
pass out quick on $ext_if inet proto tcp from $squid_net to any port = 
80 flags S/SA keep state
pass out quick on $ext_if inet proto tcp from $squid_net to any port = 
53 flags S/SA keep state
pass out quick on $ext_if inet proto udp from $squid_net to any port = 
53 keep state
pass out quick on $ext_if inet proto udp from $squid_net to any port = 
20 keep state
pass out quick on $ext_if inet proto udp from $squid_net to any port = 
21 keep state
### ssh erisim
pass in quick on $ext_if inet proto tcp from any to any port = 22 flags 
S/SA keep state
pass in quick on $ext_if inet proto tcp from any to any port = 20 flags 
S/SA keep state
pass in quick on $ext_if inet proto tcp from any to any port = 21 flags 
S/SA keep state
pass in quick on $ext_if inet proto tcp from any port ftp-data to 
$ext_net port $FTPProxyPorts flags S/SA keep state

#FTP Proxy erisimi
pass in quick on $ext_if inet proto tcp from port ftp-data to ($ext_if) 
user proxy flags S/SA keep state
anchor "ftp-proxy/*"
pass out quick on $ext_if inet proto tcp from any to any port = 20 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port = 21 flags 
S/SA keep state
pass in quick on $ext_if inet proto tcp from any to any port = 21 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port = 21 flags 
S/SA keep state

#EXCHANGE 2007 SMTP BLOCK RULES
block in  quick on $int_if inet proto tcp from $exch_2007 to any port = 25

###MERKEZ RULE

pass in quick on $ext_if inet proto tcp from any to any port =1723 flags 
S/SA keep state
pass in quick on $ext_if inet proto udp from any to any port =1723

pass in quick on $ext_if inet proto tcp from any to any port=1723
pass in quick on $ext_if inet proto udp from any to any port=1723
#pass out quick on $ext_if inet proto tcp from any to any port=1723
#pass out quick on $ext_if inet proto udp from any to any port=1723
pass out quick on $ext_if inet proto tcp from any to any port=21
pass out quick on $ext_if inet proto tcp from any to any port=21 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port=20
pass out quick on $ext_if inet proto tcp from any to any port=20 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port=25 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port=110 flags 
S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any flags S/SA keep 
state
pass out quick on $ext_if inet proto udp all keep state
pass in quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
pass out quick on $int_if proto {tcp udp icmp} from any to any keep state


pass out quick on $ext_if inet proto tcp from any to any port = 53
pass in quick on $ext_if inet proto tcp from any to any port = 53
pass out quick on $ext_if inet proto udp from any to any port = 53
pass in quick on $ext_if inet proto udp from any to any port = 53
pass out quick on $ext_if inet proto tcp from any to any port = 3389
pass in quick on $ext_if inet proto tcp from any to any port = 3389
block log(all) quick on $ext_if proto { tcp udp } from any port 1863 to 
any # Msn port block

# DC web erisimi
pass in quick on $int_if inet proto tcp from any to $dc_net port = 80
pass out quick on $ext_if inet proto tcp from any to $dc_net port = 80
pass in quick on $int_if inet proto tcp from any to $dc_net port = 443
pass out quick on $ext_if inet proto tcp from any to $dc_net port = 443

block return-rst in log quick on $ext_if inet proto tcp from any to any
block return-icmp in log quick on $ext_if inet proto udp from any to any
block in quick on $ext_if all

##############</FILTRE AYARLARI>##################

On 17.04.2010 16:08, Kerem Erciyes wrote:
> Merhaba,
>
> PF kurallarınızda bir sorun olabilir. pf.conf dosyasını ve ilgili
> diğer conf dosyalarını paylaşabilir misiniz?
> Not: Gizlilik isterseniz direk mail atabilirsiniz.
>
> Kerem
>
> 2010/4/7 Bilge KAAN<[email protected]>:
>    
>> Merhabalar,
>>
>> Bir türlü içinden çıkamadığım bir problemim var. Merkez ile şube
>> arasındaki noktadan noktaya G.SHDSL bağlantıda şube eğer bana ping
>> atarsa merkezdeki uygulamaları kullanabiliyor. Fakat 30 sn sonra
>> bağlantı kesiliyor. G.SHDSL modemde problem olmadığı kanısındayım çünkü
>> OpenBsd'yi aradan çıkarırsam hiç bir problem olmadan bağlantı sağlıklı
>> bir şekilde çalışıyor. Merkez=>Şube arasında hiç bir problem yok.
>> Şube=>Merkez arasında ping atmadan kesintisiz çalışma olmuyor. Özellikle
>> ping 192.168.10.xx -t parametresiyle kullanım yöntemi var ama sıkıntının
>> nerden kaynaklandığını tespit edemedim. Merkez 192.168.10.xx Şube
>> 192.168.11.xx ip grubunu kullanıyor. OpenBsd üzerinde Pf + squid
>> çalışıyor...
>>
>> Teşekkürler...
>> _______________________________________________
>> Bsd mailing list
>> [email protected]
>> https://liste.linux.org.tr/mailman/listinfo/bsd
>>
>>      
>
>
>    
_______________________________________________
Bsd mailing list
[email protected]
https://liste.linux.org.tr/mailman/listinfo/bsd

[Bsd] Re: OpenBsd 4.5 yönlendirme problemi

Cevap