Re: RES: Migration from IPTABLES to PF
TomC!E!, thanks for the tip Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - TomC!E! BodEC!r tomas.bod...@gmail.com 05/06/09 3:41 PM I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICO email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then .
Re: RES: Migration from IPTABLES to PF
On Wed, May 6, 2009 02:41, TomC!E! BodEC!r wrote: I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and B i got this Project to B do. I used openbsd before version 3. I do like B it. This is my current senario. - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that B is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] B then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] B then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD
RES: Migration from IPTABLES to PF
Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS # EOF /etc/rc.d/init.d/prodata/fw_kernel #___ # Protecao do KERNEL #___ #Enable forwarding in kernel echo 1 /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = sim ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets
Re: RES: Migration from IPTABLES to PF
Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS
Re: RES: Migration from IPTABLES to PF
I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and B i got this Project to B do. I used openbsd before version 3. I do like B it. This is my current senario. - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that B is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] B then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] B then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp
RES: Migration from IPTABLES to PF
Here is the full script: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis case $1 in stop) $FW -F $FW -X $FW -F -t nat $FW -X -t nat $FW -F -t mangle $FW -X -t mangle $FW -P INPUT ACCEPT $FW -P OUTPUT ACCEPT $FW -P FORWARD ACCEPT $FW -t nat -P POSTROUTING ACCEPT $FW -t nat -P PREROUTING ACCEPT $FW -t nat -P OUTPUT ACCEPT echo -e FIREWALLSTOPED\n ;; status) $FW -L $FW -L -t nat ;; restart|reload) $0 stop $0 start ;; start) echo FIREWALL...STARTING echo #___ # Habilita protecao do KERNEL #___ if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Politica Padrao #___ $FW -P INPUT ACCEPT $FW -P OUTPUT ACCEPT $FW -P FORWARD ACCEPT $FW -t nat -P POSTROUTING ACCEPT $FW -t nat -P PREROUTING ACCEPT $FW -t nat -P OUTPUT ACCEPT #___ # Limpa todas as Regras #___ $FW -F $FW -F -t nat $FW -X $FW -X -t nat #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then . /etc/rc.d/init.d/prodata/fw_politicas fi # ___ # LOG de todos os pacotes INPUT/OUTPUT/FORWARD/PREROUTING/POSROUTING # ___ #$FW -A INPUT -j LOG --log-level 3 --log-prefix APB_INPUT_OK #$FW -A OUTPUT -j LOG --log-level 3 --log-prefix APB_OUTPUT_OK #$FW -A FORWARD -j LOG --log-level 3 --log-prefix APB_FORWARD_OK #$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix APB_POSTROUTING_OK #$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix APB_PREROUTING_OK #$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix APB_OUTPUT-ROUTING_OK #___ # Divulga Rotas #___ $FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT $FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT $FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT $FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT # ___ # FW - Protecao contra Ataque: TCP SYN/FIN # ___ $FW -A INPUT -p tcp -d $IP_INTERNET --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-level 3 --log-prefix=FW_PRODATA -- SYN_FIN packet $FW -A INPUT -p tcp -d $IP_INTERNET --tcp-flags SYN,FIN SYN,FIN -j DROP # # # #Inicio das REGRAS # # # # # ___ # Libera o LOOPBACK do Firewall # ___ $FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT $FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_INTERNET -j ACCEPT $FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_INTRANET -j ACCEPT $FW -A OUTPUT -p ALL -o $INT_LOOPBACK -j ACCEPT $FW -t nat -A OUTPUT -p ALL -o $INT_LOOPBACK -j ACCEPT $FW -t nat -A POSTROUTING -p ALL -o $INT_LOOPBACK -j ACCEPT # ___ # FW - Sair com Tudo. # ___ $FW -A OUTPUT -o $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT $FW -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -j ACCEPT $FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -j ACCEPT $FW -t nat -A OUTPUT -o $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT $FW -t nat -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -j ACCEPT $FW -t nat -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -j ACCEPT $FW -t nat -A
Re: RES: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 03:49:58PM -0300, Ricardo Augusto de Souza wrote: $FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT $FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT $FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT $FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT $FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT Ah, good... that's what I was hoping to see :) -Mensagem original- De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark Shroyer Enviada em: segunda-feira, 4 de maio de 2009 15:34 Para: misc@openBSD.org Assunto: Re: Migration from IPTABLES to PF [...] Is that actually all there is to the firewall setup? This script creates a bunch of chains for performing various actions on packets, but it doesn't actually add any rules to the filter table's special INPUT, OUTPUT, or FORWARD chains that would jump processing logic through these auxiliary chains. So unless there are some other iptables commands hidden somewhere else, the logic defined in this script will never be applied and your firewall will simply let everything through. What is the output of `iptables -L -n` on this machine? -- Mark Shroyer http://markshroyer.com/contact/
