Re: RES: Migration from IPTABLES to PF
On Wed, May 6, 2009 02:41, TomC!E! BodE>C!r wrote: > I think,that in case of pf is good start point this site > http://home.nuug.no/~peter/pf/ and then FAQ parts it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus > 2009/5/5 William Chivers : >> Hello Ricardo, >> >> This is not a beginners' mailing list, people here expect questions to >> 1. be very specific, and >> 2. demonstrate that you have spent a lot of time trying to solve the >> problem > yourself, reading the documentation etc. >> >> Start with http://www.openbsd.org/faq/pf/index.html >> If you still need help, there are several books on pf, for example "The >> Book > of PF" (http://nostarch.com/pf.htm). >> >> Look back through the misc mailing list to see how specific questions >> about > pf are. When you have a specific question, the best help available is > right > here. >> >> Bill >> >> - >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> - > Ricardo Augusto de Souza 05/06/09 5:08 > AM >> Thanks for this 'polite' reply. >> As I Said i spent some years away from Unix/Linux world, >> I worked with business intelligence this years. >> Now i AM back to network administration and B i got this Project to B >> do. >> I used openbsd before version 3. I do like B it. >> >> This is my current senario. >> - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet > connections, B 1 >> mpls connection, 1 lan to handle around 60 bus company that transport 2 >> million users per Day, each user has your own myfair card. Each bus has >> a >> system that store this data in a file. This files Will be imported to > Oracle >> later. After this import, there are a lot of specific applications that > uses >> this informations. >> - behind this 2 firewalls B we have around 30 servers: ( most Windows) > iis, >> file transfer servers,ws, and some other servers like some red hat > enterprise >> running Oracle 10g. >> - at the beginning the firewalls Will do Nat B + filter B + gateway + > mpd5+squid >> ( the fucking operators Who need Access to the Windows servers were >> surfing > on >> web from there. ) >> - our applications has around 5,000 users per Day, but we have a lot of >> web >> services and some etl process ( i dont have statistics about volume yet) >> >> So that B is it. >> >> >> -Mensagem original- >> De: William Chivers [mailto:william.chiv...@newcastle.edu.au] >> Enviada em: segunda-feira, 4 de maio de 2009 22:46 >> Para: Ricardo Augusto de Souza; misc@openbsd.org >> Assunto: Re: Migration from IPTABLES to PF >> >> This is a great advertisement for OpenBSD, PF, and keeping things simple >> in >> general, mind if I use it Ricardo? >> >> As for your original question, I wouldn't even try to convert your > iptables, >> especially using some magic tool to do it. Decide what you want your > firewall >> to do and start from scratch with PF. That way you will know it is >> working > and >> you will be able to maintain it reliably. >> >> Cheers, Bill >> >> >> - >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> - > Ricardo Augusto de Souza 05/05/09 3:17 > AM > >> Hi, >> >> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The > Guy >> Who installed it left our company some months ago. >> I spent some years far from iptables, now i have to migrate this >> firewall > to >> PF. >> THere are some 'special' features on this firewall, B i need some >> documentation >> or help about implementing this features at new firewall ( PF ). >> >> This is the iptables scripts: >> >> #!/bin/bash >> FW=/sbin/iptables >> LOAD=/sbin/modprobe >> #__ >> >> # Carregando Modulo do IPTABLES >> . /etc/rc.d/init.d/prodata/fw_modulos >> >> # Carregando Variaveis >> . /etc/rc.d/init.d/prodata/fw_variaveis >> >> if [ $KERNEL = "sim" ] >> B then . /etc/rc.d/init.d/prodata/fw_kernel >> fi >> >> > #___ >> # Cria politicas de LOGs >> > #___ >> >> if [ $LOGS = "sim" ] >> B then
Re: RES: Migration from IPTABLES to PF
TomC!E!, thanks for the tip Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - >>> TomC!E! BodE>C!r 05/06/09 3:41 PM >>> I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers : > Hello Ricardo, > > This is not a beginners' mailing list, people here expect questions to > 1. be very specific, and > 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. > > Start with http://www.openbsd.org/faq/pf/index.html > If you still need help, there are several books on pf, for example "The Book of PF" (http://nostarch.com/pf.htm). > > Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. > > Bill > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICOS Provider Number: 00109J > > phone: +61 2 4349 4473 > fax: +61 2 4349 4565 > email: william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/06/09 5:08 AM >>> > Thanks for this 'polite' reply. > As I Said i spent some years away from Unix/Linux world, > I worked with business intelligence this years. > Now i AM back to network administration and i got this Project to do. > I used openbsd before version 3. I do like it. > > This is my current senario. > - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 > mpls connection, 1 lan to handle around 60 bus company that transport 2 > million users per Day, each user has your own myfair card. Each bus has a > system that store this data in a file. This files Will be imported to Oracle > later. After this import, there are a lot of specific applications that uses > this informations. > - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, > file transfer servers,ws, and some other servers like some red hat enterprise > running Oracle 10g. > - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid > ( the fucking operators Who need Access to the Windows servers were surfing on > web from there. ) > - our applications has around 5,000 users per Day, but we have a lot of web > services and some etl process ( i dont have statistics about volume yet) > > So that is it. > > > -Mensagem original- > De: William Chivers [mailto:william.chiv...@newcastle.edu.au] > Enviada em: segunda-feira, 4 de maio de 2009 22:46 > Para: Ricardo Augusto de Souza; misc@openbsd.org > Assunto: Re: Migration from IPTABLES to PF > > This is a great advertisement for OpenBSD, PF, and keeping things simple in > general, mind if I use it Ricardo? > > As for your original question, I wouldn't even try to convert your iptables, > especially using some magic tool to do it. Decide what you want your firewall > to do and start from scratch with PF. That way you will know it is working and > you will be able to maintain it reliably. > > Cheers, Bill > > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICO> email: william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/05/09 3:17 AM > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, i need some > documentation > or help about implementing this features at new firewall ( PF ). > > This is the iptables scripts: > > #!/bin/bash > FW=/sbin/iptables > LOAD=/sbin/modprobe > #__ > > # Carregando Modulo do IPTABLES > . /etc/rc.d/init.d/prodata/fw_modulos > > # Carregando Variaveis > . /etc/rc.d/init.d/prodata/fw_variaveis > > if [ $KERNEL = "sim" ] > then . /etc/rc.d/init.d/prodata/fw_kernel > fi > > #___ > # Cria politicas de LOGs > #___ > > if [ $LOGS
Re: RES: Migration from IPTABLES to PF
I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers : > Hello Ricardo, > > This is not a beginners' mailing list, people here expect questions to > 1. be very specific, and > 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. > > Start with http://www.openbsd.org/faq/pf/index.html > If you still need help, there are several books on pf, for example "The Book of PF" (http://nostarch.com/pf.htm). > > Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. > > Bill > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICOS Provider Number: 00109J > > phone: B +61 2 4349 4473 > fax: B B +61 2 4349 4565 > email: B william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/06/09 5:08 AM >>> > Thanks for this 'polite' reply. > As I Said i spent some years away from Unix/Linux world, > I worked with business intelligence this years. > Now i AM back to network administration and B i got this Project to B do. > I used openbsd before version 3. I do like B it. > > This is my current senario. > - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 > mpls connection, 1 lan to handle around 60 bus company that transport 2 > million users per Day, each user has your own myfair card. Each bus has a > system that store this data in a file. This files Will be imported to Oracle > later. After this import, there are a lot of specific applications that uses > this informations. > - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, > file transfer servers,ws, and some other servers like some red hat enterprise > running Oracle 10g. > - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid > ( the fucking operators Who need Access to the Windows servers were surfing on > web from there. ) > - our applications has around 5,000 users per Day, but we have a lot of web > services and some etl process ( i dont have statistics about volume yet) > > So that B is it. > > > -Mensagem original- > De: William Chivers [mailto:william.chiv...@newcastle.edu.au] > Enviada em: segunda-feira, 4 de maio de 2009 22:46 > Para: Ricardo Augusto de Souza; misc@openbsd.org > Assunto: Re: Migration from IPTABLES to PF > > This is a great advertisement for OpenBSD, PF, and keeping things simple in > general, mind if I use it Ricardo? > > As for your original question, I wouldn't even try to convert your iptables, > especially using some magic tool to do it. Decide what you want your firewall > to do and start from scratch with PF. That way you will know it is working and > you will be able to maintain it reliably. > > Cheers, Bill > > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICOS Provider Number: 00109J > > phone: B +61 2 4349 4473 > fax: B B +61 2 4349 4565 > email: B william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/05/09 3:17 AM > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, B i need some > documentation > or help about implementing this features at new firewall ( PF ). > > This is the iptables scripts: > > #!/bin/bash > FW=/sbin/iptables > LOAD=/sbin/modprobe > #__ > > # Carregando Modulo do IPTABLES > . /etc/rc.d/init.d/prodata/fw_modulos > > # Carregando Variaveis > . /etc/rc.d/init.d/prodata/fw_variaveis > > if [ $KERNEL = "sim" ] > B then . /etc/rc.d/init.d/prodata/fw_kernel > fi > > #___ > # Cria politicas de LOGs > #___ > > if [ $LOGS = "sim" ] > B then . /etc/rc.d/init.d/prodata/fw_politicas > fi > > Normal rules here > EOF > > > > /etc/rc.d/init.d/prodata/fw_modulos > #$LOAD nfnetlink > > $LOAD ip_conntrack > $LOAD ip_conntrack_ftp > #$LOAD ip_conntrack_pptp ## > #$LOAD ip_conntrack_netlink ## > #$LOAD ip_conntrack_tftp ## > > #$LOAD ip_nat > $LOA
Re: RES: Migration from IPTABLES to PF
Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example "The Book of PF" (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - >>> Ricardo Augusto de Souza 05/06/09 5:08 AM >>> Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - >>> Ricardo Augusto de Souza 05/05/09 3:17 AM >>> Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = "sim" ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = "sim" ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS
Re: RES: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 03:49:58PM -0300, Ricardo Augusto de Souza wrote: > $FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT > $FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT > $FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT > $FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT > $FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT > $FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT Ah, good... that's what I was hoping to see :) > -Mensagem original- > De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark > Shroyer > Enviada em: segunda-feira, 4 de maio de 2009 15:34 > Para: misc@openBSD.org > Assunto: Re: Migration from IPTABLES to PF > > [...] > > Is that actually all there is to the firewall setup? > > This script creates a bunch of chains for performing various actions on > packets, but it doesn't actually add any rules to the filter table's > special INPUT, OUTPUT, or FORWARD chains that would jump processing > logic through these auxiliary chains. So unless there are some other > iptables commands hidden somewhere else, the logic defined in this > script will never be applied and your "firewall" will simply let > everything through. > > What is the output of `iptables -L -n` on this machine? -- Mark Shroyer http://markshroyer.com/contact/
