Private IP's like those in 10.10.0.0/16 have to be natted using
nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if)
so the packets exiting $ext_if are coming from ($ext_if) and not from
10.10.0.0/16
Regards,
Charlie
Ricardo Augusto de Souza wrote:
I didn4t understand what u Said.
Could u please explain me better.
Sorry to bother u.
Thanks
-----Mensagem original-----
De: Charlie Clark [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 15 de outubro de 2008 13:38
Para: Ricardo Augusto de Souza
Assunto: Re: Filtering outgoing connections in pf
Hi Ricardo,
Thats because the packets going out have to be natted so they are not
coming from 10.10.0.0/16 but instead they are coming from $ext_if
Regards,
Charlie
Ricardo Augusto de Souza wrote:
Hi,
I AM confused with some PF rules.
I am trying to allow just some ports to my local users.
I am using block out on $ext_if but I think I would be able to choose
ports my lan users will access with rule
Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
110 } keep state .
It seems to be ok, but I had to add this rule: Pass out on $ext_if from
$ext_if to any ( without this rule my box cannot connect to the
internet ). With this rule, All users can connect to any out port.
Question: What is the right way to have my box at the internet and my
users can only access that selected ports?
Thanks
My pf.conf:
set loginterface xl1
set skip on lo0
scrub in
set require-order yes
set state-policy if-bound
altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
# interface externa WAN
ext_if="xl1"
# interface interna LAN
int_if="xl0"
# interface MPLS
mpls_if ="bge0"
#interfaces VPn tuneis
vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"
vpn_net ="{ 10.10.9.0/26 }"
#Default GW
gw="200.162.41.33"
table <badsites> persist file "/etc/badsites.txt"
winupdate = "{ 65.54.87.0/24 } "
############
# Variaveis
##########
#################
#1 - Redirecionamento ambiente de homologocao
###############
ws_ip = "{ 10.10.100.21 }"
ws_ports = "{ 8101, 8102, 8103 }"
####################################
#2- Variaveis uteis
################################
lan = "{ 10.10.0.0/16 }"
cmt_lan = "{ 10.10.0.0/24 }"
ti_lan = "{ 10.10.20.0/26 }"
call_center_lan = "{ 10.10.60.0/26 }"
rede_mpls = "{ 10.100.0.0/16 }"
ip_admin = "{ 10.10.20.100 }"
msn = "207.46.0.0/16"
# portas
portas_saida_tcp = " {25, 80, 110,443 }"
portas_saida_udp = " { 53, 443 }"
portas_entrada_tcp = " { 22,1981, 810} "
portas_entrada_udp = " { 1194 }"
ip_rose = " { 10.10.0.56 } "
porta_rose = " { 2631 } "
oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"
ips_adm_ext = "{ 189.33.76.0/26 } "
#teste internet lojas MPLS
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
$int_if port 3128
#redirect para servidor NTP
rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123
-> 10.10.100.254 port 123
#redirect para os servidores do DTC enviarem email pelo sol
rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
-> 10.10.0.2 port 25
nat on $int_if from any to 10.10.0.2 -> $int_if
# squid trasparente
rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
port 3128
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
10.10.100.13 port 1521
rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
10.10.100.14 port 1521
nat on $int_if from any to $oracle_desenv port 1521 -> $int_if
# redirecionamento para lan, foi necessario fazer nat tb.
rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
$ws_ip
nat on $int_if from any to $ws_ip -> $int_if
#################
##### NAT ######
#################
#nat para dar acesso a internet para a lan
nat on $ext_if from $lan to !($ext_if) -> $ext_if
nat on $mpls_if from $lan to any -> $mpls_if
# bloqueia a entrada de tudo e saida de tudo
block in on $ext_if
#regras de entrada
# libera entrada de tudo na interface interna
pass in on $int_if proto udp from $lan to $int_if port 53
pass in on $int_if from any to $lan modulate state
pass in on $int_if from $rede_mpls to $lan modulate state
#liberar acesso rede mpls
pass in quick on $mpls_if from any to any
#pass in quick on $mpls_if from $rede_mpls to any
# libera a entrada na interface externa
pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state
pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state
pass in quick on $ext_if proto udp from any to $ext_if port
$portas_entrada_udp keep state
pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
S/SAFR keep state (max 256)
#VPN
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
pass in quick on $vpn_if all
pass out quick on $vpn_if all
pass in quick on $int_if from $vpn_net to any modulate state
pass in quick on $mpls_if from $vpn_net to any modulate state
# regras de saida
antispoof quick for { lo $int_if }
pass out on $int_if from any to $lan keep state
pass out on $mpls_if from $mpls_if to any modulate state
#####
# proibe todo o trafego de saida
block out on $ext_if
#pass out on $ext_if from $ext_if to any modulate state
pass out quick on $ext_if proto tcp from any to any port
$portas_saida_tcp modulate state queue (q_def, q_pri)
pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
200.201.174.0/24 port { 80, 2631 } modulate state
#libera acesso total para os administradores
#pass out on $ext_if from $ip_admin to any modulate state
pass out on $ext_if proto tcp from $ext_if to any modulate state flags
S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# block msn
pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 }
block out quick proto tcp from any to $msn port { 80, 1863 }
#block acesso a estes sites
block out on $ext_if from any to <badsites>
block out on $ext_if from any to $winupdate
--
Charlie Clark
Network Engineer
Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK
Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/
Lemon Computing is a limited company registered in England & Wales under
Company No. 03697052