Re: [FreeBSD] Freebsd + PF

vys Tue, 15 Apr 2008 22:57:12 -0700

Huzeyfe hocam bu değerli bilgiler için teşekkür ederim

sağlıçakla kalın....
  ----- Original Message ----- 
  From: Huzeyfe ONAL 
  To: freebsd@lists.enderunix.org 
  Sent: Tuesday, April 15, 2008 9:34 PM
  Subject: RE: [FreeBSD] Freebsd + PF



  Merhabalar,

   

  1-3)ext_if uzerinden paketleri cikis ipleri ext_if2 olacak sekilde natliyorum 
ve bu paketleri IF2 olarak isaretliyorum, sonra filtreleme kisminda IF2 
seklinde isaretlenmis paketleri diger arabirime gonderiyorum.

   

   

   

  2) ext_if:0 daki :0 o arabirime ait ilk ip adresi manasina geliyor. Kendi 
sistemimde ext_if uzerinde birden fazla ip adresi oldugu icin ilk ip adresini 
kullanmam icin o sekilde belirtmem gerekiyor J

   


------------------------------------------------------------------------------

  From: vys [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, April 15, 2008 8:36 PM
  To: freebsd@lists.enderunix.org
  Subject: Re: [FreeBSD] Freebsd + PF 

   

  Hocam Tekrar Mrb,

   

  Kurallarımı sizin söylediğiniz şekilde düzenledim ve sistem şuan 
çalışıyor.Fakat göndermiş olduğunuz kurallarda anlamadığım kısımlar var bunları 
açıklamız mümkünmü acaba. konuyu daha iyi kavrama açısından.

   

  1. nat on $ext_if proto tcp from self to any port smtp  tag IF2 -> ($ext_if2)
     nat on $ext_if proto tcp from self to any port pop3  tag IF2 -> ($ext_if2) 
 burdaki smtp veya pop3 tag IF2 satırıyla ne yapmak istiyoruz tag IF2 nedir.

   

  2.pass in quick log on $ext_if2 reply-to($ext_if2 $ext_gw2) proto tcp from 
any to $ext_if2:0 port 80 keep state 

    satırındaki $ext_if2:0 ne anlama geliyor

   

  3.pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state
     burda $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep state ne yapmak 
istiyoruz.

  huzeyfe hocam inşallah çok fazla rahatsız etmemiyorumdur.

   

  Saygılar......

   

    ----- Original Message ----- nat on $ext_if proto tcp from self to any port 
smtp  tag IF2 -> ($ext_if2)
    nat on $ext_if proto tcp from self to any port pop3  tag IF2 -> ($ext_if2)

    From: Huzeyfe ONAL 

    To: freebsd@lists.enderunix.org 

    Sent: Tuesday, April 15, 2008 7:13 PM

    Subject: RE: [FreeBSD] Freebsd + PF 

     

    Selamlar,

     

    SMTP icin asagidaki kurali kullanabilirsiniz. Diger protokolleri de buna 
bakarak cogaltabilirsiniz.

     

     

    pass in quick log (all) on $ext_if0 reply-to($ext_if0 $ext_gw0) proto tcp 
from any to $ext_if0:0 port 25 keep state

     

     

    Firewalldan cikacak smtp paketleri icin ornegi bir onceki mailimde 
bulabilirsiniz.


----------------------------------------------------------------------------

    From: vys [mailto:[EMAIL PROTECTED] 
    Sent: Tuesday, April 15, 2008 7:06 PM
    To: freebsd@lists.enderunix.org
    Subject: Re: [FreeBSD] Freebsd + PF 

     

    Huzeyfe Hocam Merhabalar,

     

    Öncelikle konuyu daha anlamak açısından biraz daha örnekler veremeniz 
mümkünmü acaba.

     

    kullanılan sistem freebsd merak ettiğim konu ise sunucumdan attığım mail 
veya başka bir şey 1. dsl den,sunucu üzerinden internette sörf yaparken 2.dsl 
den çıkması için veya dışarıdaki bir ssh sunucusuna bağlandığımda 1. dsl den 
çıksın gibi örnekleyerek verebilirseniz çok makbule geçer hocam.

     

    saygılar.... 

     

     

      ----- Original Message ----- 

      From: Huzeyfe ONAL 

      To: freebsd@lists.enderunix.org 

      Sent: Tuesday, April 15, 2008 5:53 PM

      Subject: RE: [FreeBSD] Freebsd + PF 

       

      Merhabalar,

       

      Bir hat uzerinden gelen paketin ayni hattan geri donmesi icin reply-to 
kullanmaniz gerekiyor.

       

      Bunun haricinde  route-to kavramini Firewall'un kendisi icin degil de ic 
agdan gelen istekler icin bu sekilde kullanabilirsiniz. Firewallun kendisinin 
urettigi trafigi farkli hatlara gondermek icin asagidaki gibi nat/filtering 
kurallari yazmayi deneyin. 

       

       

      (II. hattan SMTP isteklerinin cikmasi icin)

       

      nat on $ext_if proto tcp from self to any port smtp  tag IF2 -> ($ext_if2)

       

      pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) tagged IF2 keep 
state

       

      (OpenSD 4.2 vs kullaniyorsaniz keep state'e gerek yok)

       

       

      Ek olarak kurallariniza baktigimda eksik/yanlis tanimlar var. Genelde tek 
hat dusunulerek yazilmis kurallar gibi gozukuyor.

       

       

      En basitinden ;

       

      pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } 
round-robin from $lan_net to any keep state

       

      kurali ile ic ag kullanicilarini iki hat uzerine dagitmis gozukuyorsunuz, 
isteginiz bu kullanicilarin tek hat uzerinden olmasi ise tek cikis gosterin ve 
round-robin kullanmayin.

       


--------------------------------------------------------------------------

      From: vys [mailto:[EMAIL PROTECTED] 
      Sent: Tuesday, April 15, 2008 1:03 PM
      To: freebsd@lists.enderunix.org
      Subject: [FreeBSD] Freebsd + PF 

       

      Arkadaslar Merhaba,

      daha öncede listede konu hakkinda sorularim olmustu ama hala çözemedigim 
bir kaç durumu 
      sizlerle paylasmak istedim.

      bir sunucu üzerinde hem proxy hemde mail server kurulu ve çalisir 
durumda. simdi benim 
      yapmak istedigim ise bu sunucuda 2 adet dsl takill durumda packet 
filterla mail sunucumun 
      mailleri gönderirken ve mailleri alirken adsl1 üzerinden 
haberlessin,kullanicilariminda 
      internete çikarken veya baska kaynaklara ulasirkende adsl2 yi kullanmasin 
istiyorum. 
      buna görede pf.conf umu düzenledim.bu noktada su sorunlarla 
karsilasiyorum birincisi 
      disaridan mail sunucusuna telnet le baglanmaya çalistigimda baglanmiyor 
loglarda ise pass 
      olarak görebiliyorum ama ayni sekilde sunucuma sshla baglandigimda adsl2 
üzerinden hiçbir 
      problem yok adsl1 üzerinden 25,110 sunucuya yönlendirilmis durumda acaba 
gözden 
      kacirdigim veya bilmedigim bir seylerlemi var kural tablom asagidaki 
gibidir.

      ###################################################
      # Macros
      ###################################################
      lan_net = "{ 10.0.0.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24  }"
      int_if = "bge0"
      ext_if = "vr0"
      ext_if2 = "vr1"
      ext_gw1 = "192.168.100.213" (Proxy için)
      ext_gw2 = "192.168.110.25"  (Mail Trafigi için)
      fwips = "{127.0.0.1, 10.0.0.2, 192.168.100.212, 192.168.110.26}"

      ##################################################
      #Tanimlar
      ##################################################
      table <msn> persist file "/usr/local/etc/fw/msn"
      table <ftp> persist file "/usr/local/etc/fw/ftp"

      ###################################################
      # Set Optimizations
      ###################################################
      set limit { frags 30000, states 25000 }
      set loginterface $ext_if
      scrub in all

      ##################################################
      #Nat Kurallari
      ##################################################
      nat on $ext_if from $lan_net to any -> ($ext_if)
      nat on $ext_if2 from $lan_net to any -> ($ext_if2)

      rdr on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port 8080

      ##################################################
      #Kurallar
      ##################################################
      block in log-all all
      block out log-all all
      pass in  quick on lo0 all
      pass out quick on lo0 all

      ##################################################
      #Route-to
      ##################################################
      pass in on $int_if route-to { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } 
round-robin from $lan_net to any keep state
      pass out on $ext_if  route-to ($ext_if2 $ext_gw2) from $ext_if2 to any 
keep state
      pass out on $ext_if2  route-to ($ext_if $ext_gw1) from $ext_if to any 
keep state

      ##################################################
      #Port Bazli Routing
      ##################################################
      pass out  quick on $ext_if  route-to ($ext_if2 $ext_gw2) proto tcp from 
$fwips to any port 25  keep state
      pass out  quick on $ext_if2  proto tcp from $fwips to any port 25  keep 
state
      pass in quick log on $int_if  route-to ($ext_if2 $ext_gw2) proto tcp from 
$lan_net to any port 25  keep state

      ##################################################
      # Firewalla izin veriliyor ç?k??lar
      ##################################################

      pass out quick on $ext_if proto {tcp,udp} from $fwips to any  keep state
      pass out quick on $ext_if2 proto {tcp,udp} from $fwips to any  keep state

      ##################################################
      #Lan_net ten Firewalla izin verilen Portlar
      ##################################################
      pass in quick on $int_if proto tcp from $lan_net to any port { 
22,25,80,110,8080,12200,443,444,53 } flags S/SA keep state
      pass in quick on $int_if proto tcp from <msn> to any port = 1863 flags 
S/SA keep state
      pass in quick on $int_if proto tcp from <ftp> to any port = 21 flags S/SA 
keep state
      pass in quick on $int_if proto { udp, icmp } from $lan_net  to any keep 
state

      ##################################################
      #Ext_if2 Uzerinden Gelisler
      ##################################################
      pass in quick log on $ext_if2 proto tcp from any to any port 
{25,80,110,53} flags S/SA keep state

      ##################################################
      #Ext_if Uzerinden Gelisler
      ##################################################
      pass in quick log on $ext_if proto tcp from any to any port = 22 flags 
S/SA keep state

Re: [FreeBSD] Freebsd + PF

Cevap