[FreeBSD] PF/Filter rules problem

Fri, 14 Mar 2008 04:04:58 -0700 

Merhaba,

 

OpenBSD 4.2'yi  üzerinde pf kullanarak firewall olarak konfigüre ettim. 
Kurallarımı /etc/firewall altında filter.rules ve nat.rules şeklinde oluşturdum 
Bir de bu pf leri yenilemek için yenile adında bir script yazdım. Fakat ne 
zaman kurallarımı yenilemek istesem aşağıdaki hatayı alıyorum ve internete 
çıkamıyorum.Sanırım hata filter.rules'den kaynaklanıyor fakat bir türlü 
çözemedim Bu konuda yardımcı olursanız çok sevinirim. Teşekkürler

 

pfctl: Must enable table loading for optimizations

 

Özge

 

Script

pfctl -Fa

pfctl -N -f /etc/firewall/nat.rules

pfctl -R -f /etc/firewall/filter.rules

 

filter.rules

### Interface tanimlari

 

internal = "xl0"

external = "fxp0"

 

 

### IP tanimlari

 

extnet = "192.168.2.0/24"

intnet = "172.16.0.0/18"

 

fwint = "172.16.1.3/32"

fwext = "192.168.2.3/32"

squid = "172.16.1.3/32"

 

sinirsiz = "{ 172.16.1.2/32, 172.16.22.22/32 }"

 

### Passive FTP ports

 

FTPProxyPorts = " { 55000 >< 57000 }"

 

### non-routable network tanimlari

 

nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 
0.0.0.0/8, 224.0.0.0/3, 255.255.255.255/32 }"

 

scrub in all

 

### Loopback interface'e her turlu trafik için izin verilir

 

pass out quick on lo0 from any to any

pass in quick on lo0 from any to any

 

### Internal interface'e her turlu trafik icin izin verilir

 

pass out quick on $internal from any to any

pass in quick on $internal from any to any

 

### redirected icmp paketleri engellenir

 

block in log quick on $external inet proto icmp from any to any icmp-type redir

 

### non routable networklerden gelen paketler engellnir

 

block in  quick on $external from $nonroutable to any

 

### non routable networklere giden paketler engellenir

 

block out quick on $external from any to $nonroutable

 

### icmp echo için izin verilir

 

#pass in quick on $external inet proto icmp from any to any icmp-type { 
echorep, echoreq, timex, unreach }

 

### izin verilenler disinda icmp paketleri engellenir

 

block in log quick on $external inet proto icmp from any to any

 

### Proxy rules

 

pass out quick on $external inet proto tcp from $squid to any port = 10000 
flags S/SA keep state

pass out quick on $external inet proto tcp from $squid to any port = 80 flags 
S/SA keep state

pass out quick on $external inet proto tcp from $squid to any port = 53 flags 
S/SA keep state

pass out quick on $external inet proto udp from $squid to any port = 53 keep 
state

 

### Sinirsiz kullanicilar

 

pass out quick on $external inet proto tcp from $sinirsiz to any flags S/SA 
keep state

pass out quick on $external inet proto udp from $sinirsiz to any

pass out quick on $external inet proto icmp from $sinirsiz to any keep state

 

### Disari cikisa kayitsiz sartsiz izin veriliyor

 

pass out quick on $external inet proto tcp from any to any flags S/SA keep state

pass out quick on $external inet proto udp from any to any

pass out quick on $external inet proto icmp from any to any keep state

 

### Danger paketleri engellenir

 

block return-rst in log quick on $external inet proto tcp from any to any

block return-icmp in log quick on $external inet proto udp from any to any

block in log quick on $external all

 

nat.rules

### Interface tanimlari

 

internal = "xl0"

external = "fxp0"

 

 

### IP tanimlari

 

extnet = "192.168.2.0/24"

intnet = "172.16.0.0/18"

 

fwint = "172.16.1.3/32"

fwext = "192.168.2.3/32"

 

 

squid = "172.16.1.3/32"

 

sinirsiz = "{ 172.16.1.2/32, 172.16.22.22/32 }"

 

### Redirect outbond FTP traffic to use ftp-proxy

 

#rdr on $internal proto tcp from any to any port ftp -> 127.0.0.1 port 8021

 

### Proxy nat

 

nat on $external from $squid to any -> $fwext

 

rdr on $external proto tcp from 213.194.88.80/28 to $fwext port 10000  -> 
$squid port 10000

rdr on $external proto tcp from 81.214.12.130/32 to $fwext port 10000 -> $squid 
port 10000

 

 

### nat for local network

 

nat on $external from $intnet to any -> $fwext

 

### sinirsizlar

 

nat on $external from $sinirsiz to any -> $fwext

Cevap