[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [obsdfr-misc] Règles pf
Oui pour le \ c'est juste un problème de copier/coller, sur ma conf tout
est sur une seule ligne.
C'est vrai que cette conf est complexe, mais j'ai volontairement tout
décomposé en espérant pouvoir simplifier ça par la suite.
En fait,ce qui est difficilement compréhensible, c'est que toutes les
interfaces internes communiquent entre elles sans problème, mais que dès
que je cherche à établir une communication vers l'externe ça bloque.
Un autre point, avec le proxy ftp je parviens à établir un contact avec
un serveur (avec déconnexion au moment du passage en mode passif), ce
qui m'a orienté sur une histoire de nat, mais la encore je n'ai rien
trouvé. J'avais pensé à un problème de loopback sur la passerelle, mais
là encore les investigations n'ont rien donné.
Si quelqu'un à un bon pointeur sur l'analyse des traces avec tcpdump
orienté débuggage de pf je suis preneur.
PS: je joint le fichier complet avec la conf isakmpd pour le wifi etc...
merci pour vos lumières
Le vendredi 25 mars 2005 à 10:33 +0100, philafil AT free POINT fr a écrit :
> Bonjour,
>
> Quoting Vincent Heurteaux <v POINT heurteaux AT wanadoo.fr>:
>
> [...]
>
> > Je pense qu'il me manque quelques règles passantes entre l'interface
> > externe et les internes, j'ai essayé sans succès des règles du type :
> >
> > pass in on $int_if inet proto tcp from $lan_local to $ext_if port
> > $tcp_lanlocal_vers_passerelle flags S/SA modulate state
>
> Il manque pas le "\" à la fin de la 1 ligne (ci-dessus)!
> Ci non, ton pf.conf, est complexe, je vais essayé de trouvé, j'ai installé une
> machine hier ... ( a premiere vu, il y a plusieur régle que je ne comprend pas
> )
>
> Philippe
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: openbsd-france-misc-unsubscribe AT openbsd-france POINT org
> For additional commands, e-mail: openbsd-france-misc-help AT openbsd-france POINT org
>
>
#########################################################################################
# #
# Regles de filtrage PF #
# #
# laser #
# #
# 24/03/2005 #
# #
#########################################################################################
ext_if="sis0"
dmz_if="sis1"
int_if="sis2"
wi_if="wi0"
enc_if="enc0"
lan_dmz="{ 192.168.10.0/24 }"
lan_local="{ 192.168.20.0/24 }"
lan_wifi="{ 192.168.30.0/24 }"
#table <local_nets> { 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 }
# declaration du tableau referencant toutes les adresses IP affectees au
# pare-feu
#table <firewall> const { self }
############################################
# Antispam #
############################################
#table <spamd> persist
#table <spamd-white> persist
#########################################################################################
# Declaration des flux #
#########################################################################################
############################################
# tcp #
############################################
# P2P = 1214:FastTrack 1412:DirectConnect #
# 2234:SoulSeek 4662:eDonkey2000 #
# 4663:Overnet 6347:Gnutella2 #
# 6699:OpenNap 6881:BitTorrent #
# 5999:cvsup #
############################################
tcp_internet_vers_passerelle= "{ ssh, www, smtp, domain }"
tcp_passerelle_vers_internet= "{ ssh, www, https, smtp, ntp, pop3, rsync, nntp, domain, 8080, 5999 }"
tcp_passerelle_vers_landmz="{ ssh, smtp }"
tcp_passerelle_vers_lanlocal="{ ssh }"
tcp_passerelle_vers_lanwifi="{ ssh }"
tcp_landmz_vers_passerelle= "{ ssh, smtp, http, ntp, ftp, domain, 5999 }"
tcp_landmz_vers_lanlocal= "{ ssh }"
tcp_landmz_vers_lanwifi= "{ ssh }"
tcp_lanlocal_vers_passerelle= "{ ssh, http, https, ntp, pop3, rsync, nntp, domain, 8080 }"
tcp_lanlocal_vers_landmz= "{ ssh, smtp, pop3 }"
tcp_lanlocal_vers_lanwifi= "{ ssh }"
tcp_lanwifi_vers_passerelle= "{ ssh, http, https, smtp, ntp, pop3, nntp, domain, 5999 }"
tcp_lanwifi_vers_landmz= "{ ssh, smtp, pop3 }"
tcp_lanwifi_vers_lanlocal= "{ ssh }"
############################################
# udp #
############################################
# P2P = 4663:Overnet 1412:DirectConnect #
# 4672:eDonkey 6347:Gnutella2 #
############################################
udp_internet_vers_passerelle= "{ domain }"
udp_passerelle_vers_internet= "{ domain, ntp }"
udp_passerelle_vers_landmz= "{ }"
udp_passerelle_vers_lanlocal= "{ }"
udp_passerelle_vers_lanwifi= "{ isakmp }"
udp_landmz_vers_passerelle= "{ domain, ntp }"
udp_landmz_vers_lanlocal= "{ }"
udp_landmz_vers_lanwifi= "{ }"
udp_lanlocal_vers_passerelle= "{ domain, ntp }"
udp_lanlocal_vers_landmz= "{ }"
udp_lanlocal_vers_lanwifi= "{ }"
udp_lanwifi_vers_passerelle= "{ isakmp }"
udp_lanwifi_vers_landmz= "{ }"
udp_lanwifi_vers_lanlocal= "{ }"
############################################
# Options #
############################################
set optimization aggressive
set block-policy return
set loginterface $ext_if
############################################
# Fixe les fragments #
############################################
scrub in all
#########################################################################################
# #
# Traffic shapping #
# #
#########################################################################################
# Regles AltQ
# altq on ext_if cbq 5633Kb
#########################################################################################
# #
# NAT #
# #
#########################################################################################
# NAT entre interface externe et interne
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Redirection du flux ftp vers le Proxy FTP transparent
rdr pass on $int_if proto tcp from $lan_local to any port ftp -> 127.0.0.1 port 8021
rdr pass on $dmz_if proto tcp from $lan_dmz to any port ftp -> 127.0.0.1 port 8021
rdr pass on $wi_if proto tcp from $lan_wifi to any port ftp -> 127.0.0.1 port 8021
# Redirection des trames smtp vers le demon spamd
#rdr pass on $ext_if proto tcp from <spamd> to port smtp -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp -> 127.0.0.1 port spamd
#########################################################################################
# #
# Authpf #
# #
#########################################################################################
# nat-anchor authpf
# rdr-anchor authpf
# binat-anchor authpf
#########################################################################################
# #
# Filtrage #
# #
#########################################################################################
# On bloque toutes les interfaces par defaut
block return log
# On bloque les adresses ip non routables pour eviter le spoofing
antispoof log quick for $ext_if inet
# On libere l'adresse loopback
#pass on lo0 all
pass out quick on lo0 all keep state
pass in quick on lo0 all keep state
#########################################
# #
# Cas particuliers #
# #
#########################################
# FTP-actif : on autorise une reponse du serveur ftp contacte sur la plage de ports specifiee
# au proxy ftp
#pass in on $ext_if inet proto tcp from any port ftp-data to $ext_if port 55000><57000 user proxy flags S/SA keep state
#pass out on $ext_if inet proto tcp from $ext_if to any port ftp-data flags S/AUPRFS modulate state
# FTP-passif : on autorise le traffic sortant vers le port ftp (21) et l'ouverture d'un port >1024
# pour contacter le serveur ftp distant
pass out on $ext_if inet proto tcp from $ext_if to any port ftp flags S/SA modulate state
pass out on $ext_if inet proto tcp from $ext_if to any port 55000><57000 flags S/SA modulate state
#########################################
# #
# Traffic entrant depuis Internet #
# #
#########################################
# Requetes destinees aux services tournant sur la passerelle
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_internet_vers_passerelle flags S/SA modulate state
pass in on $ext_if inet proto udp from any to $ext_if port $udp_internet_vers_passerelle keep state
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type {echorep, echoreq, timex, unreach }
#########################################
# #
# Traffic sortant vers Internet #
# #
#########################################
# Depuis la passerelle
pass out on $ext_if inet proto tcp from $ext_if to any port $tcp_passerelle_vers_internet flags S/SA modulate state
pass out on $ext_if inet proto udp from $ext_if to any port $udp_passerelle_vers_internet keep state
pass out on $ext_if inet proto icmp from any to any
#########################################
# #
# Traffic interne/externe #
# #
#########################################
# lan_dmz <-> passerelle
# Interface Interne
pass in on $dmz_if inet proto tcp from $lan_dmz to $ext_if port $tcp_landmz_vers_passerelle flags S/SA modulate state
pass in on $dmz_if inet proto udp from $lan_dmz to $ext_if port $udp_landmz_vers_passerelle keep state
pass in on $dmz_if inet proto icmp from $lan_dmz to $ext_if
pass out on $dmz_if inet proto tcp from $ext_if to $lan_dmz port $tcp_passerelle_vers_landmz flags S/SA modulate state
#pass out on $dmz_if inet proto udp from $ext_if to $lan_dmz port $udp_passerelle_vers_landmz keep state
pass out on $dmz_if inet proto icmp from $ext_if to $lan_dmz
# Interface Externe
pass in on $ext_if inet proto tcp from any to $lan_dmz port $tcp_passerelle_vers_landmz flags S/SA modulate state
#pass in on $ext_if inet proto udp from any to $lan_dmz port $udp_passerelle_vers_landmz keep state
pass in on $ext_if inet proto icmp from any to $lan_dmz
pass out on $ext_if inet proto tcp from $lan_dmz to any port $tcp_landmz_vers_passerelle flags S/SA modulate state
pass out on $ext_if inet proto udp from $lan_dmz to any port $udp_landmz_vers_passerelle keep state
pass out on $ext_if inet proto icmp from $lan_dmz to any
# lan_local <-> passerelle
# Interface Interne
pass in on $int_if inet proto tcp from $lan_local to $ext_if port $tcp_lanlocal_vers_passerelle flags S/SA modulate state
pass in on $int_if inet proto udp from $lan_local to $ext_if port $udp_lanlocal_vers_passerelle keep state
pass in on $int_if inet proto icmp from $lan_local to $ext_if
pass out on $int_if inet proto tcp from $ext_if to $lan_local port $tcp_passerelle_vers_lanlocal flags S/SA modulate state
#pass out on $int_if inet proto udp from $ext_if to $lan_local port $udp_passerelle_vers_lanlocal keep state
pass out on $int_if inet proto icmp from $ext_if to $lan_local
# Interface Externe
pass in on $ext_if inet proto tcp from any to $lan_local port $tcp_passerelle_vers_lanlocal flags S/SA modulate state
#pass in on $ext_if inet proto udp from any to $lan_local port $udp_passerelle_vers_lanlocal keep state
pass in on $ext_if inet proto icmp from any to $lan_local
pass out on $ext_if inet proto tcp from $lan_local to any port $tcp_lanlocal_vers_passerelle flags S/SA modulate state
pass out on $ext_if inet proto udp from $lan_local to any port $udp_lanlocal_vers_passerelle keep state
pass out on $ext_if inet proto icmp from $lan_local to any
# lan_wifi vpn <-> passerelle
# Interface Interne
pass in on $wi_if inet proto esp from $lan_wifi to $ext_if keep state
pass in on $enc_if inet proto tcp from $lan_wifi to $ext_if port $tcp_lanwifi_vers_passerelle flags S/SA modulate state
pass in on $enc_if inet proto udp from $lan_wifi to $ext_if port $udp_lanwifi_vers_passerelle keep state
pass in on $enc_if inet proto icmp from $lan_wifi to $ext_if
pass out on $wi_if inet proto esp from $ext_if to $lan_wifi keep state
pass out on $enc_if inet proto tcp from $ext_if to $lan_wifi port $tcp_passerelle_vers_lanwifi flags S/SA modulate state
pass out on $enc_if inet proto udp from $ext_if to $lan_wifi port $udp_passerelle_vers_lanwifi keep state
pass out on $enc_if inet proto icmp from $ext_if to $lan_wifi
# Interface Externe
pass in on $ext_if inet proto tcp from any to $lan_wifi port $tcp_passerelle_vers_lanwifi flags S/SA modulate state
pass in on $ext_if inet proto udp from any to $lan_local port $udp_passerelle_vers_lanwifi keep state
pass in on $ext_if inet proto icmp from any to $lan_wifi
pass out on $ext_if inet proto tcp from $lan_wifi to any port $tcp_lanwifi_vers_passerelle flags S/SA modulate state
pass out on $ext_if inet proto udp from $lan_wifi to any port $udp_lanwifi_vers_passerelle keep state
pass out on $ext_if inet proto icmp from $lan_wifi to any
#########################################
# #
# Traffic interne #
# #
#########################################
# lan_dmz vers lan_local
pass in on $dmz_if inet proto tcp from $lan_dmz to $lan_local port $tcp_landmz_vers_lanlocal flags S/SA modulate state
#pass in on $dmz_if inet proto udp from $lan_dmz to $lan_local port $udp_landmz_vers_lanlocal keep state
pass out on $dmz_if inet proto tcp from $lan_local to $lan_dmz port $tcp_lanlocal_vers_landmz flags S/SA modulate state
#pass out on $dmz_if inet proto udp from $lan_local to $lan_dmz port $udp_lanlocal_vers_landmz keep state
# lan_dmz vers lan_wifi
pass in on $dmz_if inet proto tcp from $lan_dmz to $lan_wifi port $tcp_landmz_vers_lanwifi flags S/SA modulate state
#pass in on $dmz_if inet proto udp from $lan_dmz to $lan_wifi port $udp_landmz_vers_lanwifi keep state
pass out on $dmz_if inet proto tcp from $lan_wifi to $lan_dmz port $tcp_lanwifi_vers_landmz flags S/SA modulate state
#pass out on $dmz_if inet proto udp from $lan_wifi to $lan_dmz port $udp_lanwifi_vers_landmz keep state
# lan_local vers passerelle
pass in on $int_if inet proto tcp from $lan_local to $int_if port $tcp_lanlocal_vers_passerelle flags S/SA modulate state
pass in on $int_if inet proto udp from $lan_local to $int_if port $udp_lanlocal_vers_passerelle keep state
pass out on $int_if inet proto tcp from $int_if to $lan_local port $tcp_passerelle_vers_lanlocal flags S/SA modulate state
#pass out on $int_if inet proto udp from $int_if to $lan_local port $udp_passerelle_vers_lanlocal keep state
# lan_local vers lan_dmz
pass in on $int_if inet proto tcp from $lan_local to $lan_dmz port $tcp_lanlocal_vers_landmz flags S/SA modulate state
#pass in on $int_if inet proto udp from $lan_local to $lan_dmz port $udp_lanlocal_vers_landmz keep state
pass out on $int_if inet proto tcp from $lan_dmz to $lan_local port $tcp_landmz_vers_lanlocal flags S/SA modulate state
#pass out on $int_if inet proto udp from $lan_dmz to $lan_local port $udp_landmz_vers_lanlocal keep state
# lan_local vers lan_wifi
pass in on $int_if inet proto tcp from $lan_local to $lan_wifi port $tcp_lanlocal_vers_lanwifi flags S/SA modulate state
#pass in on $int_if inet proto udp from $lan_local to $lan_wifi port $udp_lanlocal_vers_lanwifi keep state
pass out on $int_if inet proto tcp from $lan_wifi to $lan_local port $tcp_lanwifi_vers_lanlocal flags S/SA modulate state
#pass out on $int_if inet proto udp from $lan_wifi to $lan_local port $udp_lanwifi_vers_lanlocal keep state
# lan_wifi vers passerelle via ipsec
pass in on $wi_if inet proto esp from $lan_wifi to $wi_if keep state
pass in on $enc_if inet proto tcp from $lan_wifi to $wi_if port $tcp_lanwifi_vers_passerelle flags S/SA modulate state
pass in on $enc_if inet proto udp from $lan_wifi to $wi_if port $udp_lanwifi_vers_passerelle keep state
pass out on $wi_if inet proto esp from $wi_if to $lan_wifi keep state
pass out on $enc_if inet proto tcp from $wi_if to $lan_wifi port $tcp_passerelle_vers_lanwifi flags S/SA modulate state
pass out on $enc_if inet proto udp from $wi_if to $lan_wifi port $udp_passerelle_vers_lanwifi keep state
# lan_wifi vers lan_dmz via ipsec
pass in on $wi_if inet proto esp from $lan_wifi to $lan_dmz keep state
pass in on $enc_if inet proto tcp from $lan_wifi to $lan_dmz port $tcp_lanwifi_vers_landmz flags S/SA modulate state
#pass in on $enc_if inet proto udp from $lan_wifi to $lan_dmz port $udp_lanwifi_vers_landmz keep state
pass out on $wi_if inet proto esp from $wi_if to $lan_dmz keep state
pass out on $enc_if inet proto tcp from $lan_dmz to $lan_wifi port $tcp_landmz_vers_lanwifi flags S/SA modulate state
#pass out on $enc_if inet proto udp from $lan_dmz to $lan_wifi port $udp_landmz_vers_lanwifi keep state
# lan_wifi vers lan_local via ipsec
pass in on $wi_if inet proto esp from $lan_wifi to $lan_local keep state
pass in on $enc_if inet proto tcp from $lan_wifi to $lan_local port $tcp_lanwifi_vers_lanlocal flags S/SA modulate state
#pass in on $enc_if inet proto udp from $lan_wifi to $lan_local port $udp_lanwifi_vers_lanlocal keep state
pass out on $wi_if inet proto esp from $wi_if to $lan_local keep state
pass out on $enc_if inet proto tcp from $lan_local to $lan_wifi port $tcp_lanlocal_vers_lanwifi flags S/SA modulate state
#pass out on $enc_if inet proto udp from $lan_local to $lan_wifi port $udp_lanlocal_vers_lanwifi keep state