[FreeBSD] ipfw ve virtual server

Mesut GÜLNAZ Mon, 10 Oct 2005 03:58:41 -0700

ipfw kurulu bir default gateway de

LAN 192.168.2.0/24 networkü.

bu network de bir www server var.

dışarıdan buna erişimi sağlamaya çalışıyorum.

sistem:

-su-2.05b# ps ax | grep nat
338 ?? Ss 5:34.38 /usr/sbin/ppp -quiet -ddial -nat adsl
61651 p0 S+ 0:00.00 grep nat

netustad kullanmaya çalışıyorum.

ipfw kurulu serverdan 192.168.2.0/24 networkünde ki www server a ping atabilmeme rağmen port 80 ine telnet açamıyor um.

ipfw kurallarım aşağıdaki gibidir.

-su-2.05b# ipfw -a list
00100   347549   31425483 deny udp from any to any dst-port 137-139,445
00200   107356    5154188 deny tcp from any to any dst-port 137-139,445
00201       28       1276 divert 8668 tcp from 192.168.2.7 80 to any
00202    11005     556068 divert 8668 log logamount 100 tcp from any to me dst-port 80 in via tun0
00300      636      42822 deny udp from any 137-139,445 to any
00400        0          0 deny tcp from any 137-139,445 to any
00500       35       1680 deny ip from any to 10.0.0.0/8 via tun0
00600        0          0 deny ip from any to 172.16.0.0/12 via tun0
00700        0          0 deny ip from any to 0.0.0.0/8 via tun0
00800        0          0 deny ip from any to 169.254.0.0/16 via tun0
00900        0          0 deny ip from any to 192.0.2.0/24 via tun0
01000        0          0 deny ip from any to 224.0.0.0/4 via tun0
01100        0          0 deny ip from any to 240.0.0.0/4 via tun0
01200       10        480 deny ip from 10.0.0.0/8 to any via bge0
01300        0          0 deny ip from 172.16.0.0/12 to any via bge0
01400     1185     391656 deny ip from 0.0.0.0/8 to any via bge0
01500        1         53 deny ip from 169.254.0.0/16 to any via bge0
01600        0          0 deny ip from 192.0.2.0/24 to any via bge0
01700        0          0 deny ip from 224.0.0.0/4 to any via bge0
01800        0          0 deny ip from 240.0.0.0/4 to any via bge0
01900 2099566 282257191 fwd 192.168.2.1,3128 tcp from any to any dst-port 80 in via bge0
65535 12101031 7181080386 allow ip from any to any

------------------------------------

-su-2.05b# less netustad.natd
log                     yes
verbose                 no
deny_incoming           no
log_denied              yes
log_facility            security
use_sockets             yes
same_ports              yes
unregistered_only       yes
interface sk0
redirect_port tcp 192.168.2.7:80 XX.XXX.XX.XXX:80

--------------------------------------

netustad.ipfw

/sbin/ipfw add deny udp from any to any 137-139,445
/sbin/ipfw add deny tcp from any to any 137-139,445
/sbin/ipfw add deny udp from any 137-139,445 to any
/sbin/ipfw add deny tcp from any 137-139,445 to any
/sbin/ipfw add deny all from any to 10.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 172.16.0.0/12 via tun0
/sbin/ipfw add deny all from any to 0.0.0.0/8 via tun0
/sbin/ipfw add deny all from any to 169.254.0.0/16 via tun0
/sbin/ipfw add deny all from any to 192.0.2.0/24 via tun0
/sbin/ipfw add deny all from any to 224.0.0.0/4 via tun0
/sbin/ipfw add deny all from any to 240.0.0.0/4 via tun0
/sbin/ipfw add deny all from 10.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 172.16.0.0/12 to any via bge0
/sbin/ipfw add deny all from 0.0.0.0/8 to any via bge0
/sbin/ipfw add deny all from 169.254.0.0/16 to any via bge0
/sbin/ipfw add deny all from 192.0.2.0/24 to any via bge0
/sbin/ipfw add deny all from 224.0.0.0/4 to any via bge0
/sbin/ipfw add deny all from 240.0.0.0/4 to any via bge0
/sbin/ipfw add 201 divert natd tcp from 192.168.2.7 80 to any
/sbin/ipfw add 202 divert natd tcp from any to me dst-port 80 in via tun0
/sbin/ipfw add fwd 192.168.2.1,3128 tcp from any to any dst-port 80 in via bge0
----------------------------------------------------

-su-2.05b# cat /etc/rc.conf
#defaultrouter="172.16.0.1"
gateway_enable="YES"
hostname="proxy.asmpmyo.edu.tr"
ifconfig_bge0="inet 192.168.2.1 netmask 255.255.255.0"
keyrate="fast"
linux_enable="YES"
saver="daemon"
sshd_enable="YES"
accounting_enable="YES" # Turn on process accounting (or NO).
nfs_reserved_port_only="YES"    # Provide NFS only on secure port (or NO).
nfs_client_enable="NO"          # This host is an NFS client (or NO).
rpcbind_enable="NO"             # Run the portmapper service (YES/NO).
syslogd_enable="YES"            # Run syslog daemon (or NO).
syslogd_flags="-ss"
icmp_bmcastecho="NO"    # respond to broadcast ping packets
tcp_drop_synfin="YES"           # Set to YES to drop TCP packets with SYN+FIN
keymap=tr.iso9.q #/usr/share/sysconf/keymap/tr.iso9.q.kbd dosyasy
font8x16=iso09-8x16 #/usr/share/sysconf/fonts/iso09-8x16.fnt dosyasy
ntpdate_enable="YES"
ntpdate_flags="ntp.nasa.gov"
sendmail_enable="NO"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="adsl"
ppp_nat="YES"
sleep 4
natd_enable="YES"
natd_interface="tun0"
natd_flags="-f /usr/local/etc/netustad/netustad.natd
#natd_flags="-f /etc/natd.conf"
squid_enable="YES"
kern_securelevel_enable="YES"   # kernel security level (see init(8))
kern_securelevel="1"
apache_enable="YES"
netustad_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/netustad/netustad.ipfw"
named_enable="YES"              # Run named, the DNS server (or NO).
-su-2.05b#

saygılar...

iyi çalışmalar....

[FreeBSD] ipfw ve virtual server

Cevap