Sifrovany nat a nebo Squid OPENVPN doplneno
Pentium
pentium.konference at seznam.cz
Sun Mar 12 21:20:35 CET 2006
Omlouvam se za neuplne informace a dekuji za vas cas
Zatim je cil presmerovat veskery provoz z vnitrni site rl0 a rl1 na VPN
Druhy cil je presmerovat jen transparent proxy na VPN
Jo jinak
tcpdump -i tap0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
21:03:22.935321 arp who-has 10.0.0.1 tell 10.0.0.2
21:03:22.937546 arp reply 10.0.0.1 is-at 00:bd:e3:bd:00:00
21:03:22.984948 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 0
21:03:23.932486 IP 10.0.0.2 > 10.0.0.1: icmp 64: echo request seq 1
Takze to funguje na ten stroj to dorazi pres tunel jen se neukaze odpoved od
pingu
Ted jen nevim jak rozchodit transparent squid pres tento tunel
Takto mam sestavenej pf.conf (neni uplne dokonalej) pokud nekdo muze ve svem
volnu mi ho trochu opravit budu vdecny ...
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Macros: define common values, so they can be referenced and changed
easily.
ext_if="wi0" # replace with actual external interface name i.e., rl0
int_if="rl0" # replace with actual internal interface name i.e., dc1
int_if2="rl1" # replace with actual internal interface name i.e., dc1
int_if3="tap0" # VPN tunel
internal_net="192.168.1.0/24"
#external_addr="192.168.144.17"
external_addr="10.102.41.17"
external_vpn="10.0.0.1"
# Pro hry
#Ext = "wi0" # Device an dem das Internet angeschlossen ist
GameIP = "192.168.1.1" # IP Adresse des DirectPlay Clients
IntNet = "192.168.1.0/24" # Adressraum des internen Netzes
#InDirectPlayTCP = "{ 2299><2401, 6073, 47624 }"
#InDirectPlayUDP = "{ 2299><2401, 9110 }"
InDirectPlayTCP = "{ 2299><2901, 6073, 47624 }"
InDirectPlayUDP = "{ 2299><2901, 9110 }"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
table <trusted_hosts> { }
table <spoofed> { 127.0.0.1/8, !192.168.1.0/24, 192.168.0.0/16,
172.16.0.0/12, 224.0.0.0/3, 10.0.0.0/8 } table <blacklist> { }
icmp_types = "echoreq"
blocked_ports="{ 135, 137 >< 139, 445 }"
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set
timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout {
udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20,
icmp.error 10 } #set timeout { other.first 60, other.single 30,
other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set
limit { states 10000, frags 5000 } #set loginterface none #set optimization
normal #set block-policy drop #set require-order yes #set fingerprints
"/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue
marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net
will # get translated as coming from the address of $ext_if, a state is
created for # such packets, and incoming packets will be redirected to the
internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)
nat on $ext_if from 192.168.1.1 to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234
will # be redirected to 10.1.1.1:5678. A state is created for such packets,
and # outgoing packets will be translated as coming from the external
address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
10.1.1.1 port 5678
###############################
#### Redirect ################
###############################
# rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from
any to any port ftp -> 127.0.0.1 port 8021 #rdr on $int_if inet proto tcp
from any to any port www -> 127.0.0.1 port 3128 # rdr on $ext_if proto tcp
from any to any port 80 -> 192.168.1.1 port 80
rdr on $ext_if proto tcp from !$IntNet to any port 2300:2400 -> $GameIP port
2300:* rdr on $ext_if proto tcp from !$IntNet to any port 47624 -> $GameIP
port 47624 rdr on $ext_if proto tcp from !$IntNet to any port 6073 ->
$GameIP port 6073 rdr on $ext_if proto udp from !$IntNet to any port
2300:2400 -> $GameIP port 2300:* rdr on $ext_if proto udp from !$IntNet to
any port 9110 -> $GameIP port 9110 rdr on $ext_if proto udp from !$IntNet to
any port 47624 -> $GameIP port 47624
#Povoleni RDPr
rdr on $ext_if proto tcp from any to any port 3389 -> 192.168.1.1 port 3389
#Povoleni VNC
rdr on $ext_if proto tcp from any to any port 5900 -> 192.168.1.1 port 5900
rdr on $ext_if proto tcp from any to any port 5800 -> 192.168.1.1 port 5800
# Povoleni statistiky
rdr on $int_if inet proto tcp from 192.168.1.1 to 192.168.144.129 port 80 ->
192.168.144.129 port 80
# Transparent Proxy
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128 rdr on $int_if2 inet proto tcp from any to any port www -> 127.0.0.1
port 3128 #rdr on $int_if inet proto tcp from any to any port 443 ->
127.0.0.1 port 3128 #rdr on $int_if2 inet proto tcp from any to any port 443
-> 127.0.0.1 port 3128
# Povoleni FTPka na 192.168.144.129
# rdr on $ext_if proto tcp from any to $ext_if port 21 -> 192.168.1.1 port
21
# ftp_server = "192.168.1.1"
# rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21 #
rdr on $ext_if proto tcp from any to any port 49152:65535 -> $ftp_server
port 49152:65535
# Game server
#rdr on $ext_if proto tcp from any to any port 12975 -> 192.168.1.1 port
12975
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# Filtering: the implicit first two rules are
pass in all
pass out all
# allow loopback packets
pass in quick on lo0 all
pass out quick on lo0 all
##################################
######## POVOLENE PORTY ##########
##################################
#herni conzole
pass in quick on $ext_if proto tcp from any to any port 12975
pass in quick on $ext_if inet proto tcp from any to any port
$InDirectPlayTCP flags S/SAFR keep state label DirectPlayTCP
pass in quick on $ext_if inet proto udp from any to any port
$InDirectPlayUDP keep state label DirectPlayUDP
#povoleni VPN
pass in quick on $ext_if inet proto udp from any to any port 5050
pass in quick on rl0 inet proto tcp from any to any port $InDirectPlayTCP
flags S/SAFR keep state label DirectPlayTCP
pass in quick on rl0 inet proto udp from any to any port $InDirectPlayUDP
keep state label DirectPlayUDP
# SSH Dovnitr jen z jedne IP
pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 22 keep state
# Http Dovnitr jen z jedne IP ci vice
# pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 8080 keep
state
# allow ICMP request/reply (ping)
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state
# Transparent Proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
keep state
pass in quick on $int_if2 inet proto tcp from any to 127.0.0.1 port 3128
keep state
# Povoleni statistiky
pass in quick on $int_if inet proto tcp from 192.168.1.1 to
192.168.144.129 port 80 keep state
pass in quick on $int_if inet proto tcp from 192.168.1.1 to 10.102.41.1
port 80 keep state
# Povoleno pro komunikaci Proxy servru venku
pass in quick on $ext_if inet proto tcp from 62.245.73.216 to any port 82
keep state
# Povoleni VZDALENEJ ACCES na 192.168.1.1
pass in quick on $ext_if proto tcp from any to $ext_if port 5900 flags S/SA
keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5900 flags
S/SA keep state
pass in quick on $ext_if proto tcp from any to $ext_if port 5800 flags S/SA
keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5800 flags
S/SA keep state
pass in quick on $ext_if proto tcp from any to $ext_if port 3389 flags S/SA
keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 3389 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to $ftp_server port 21 keep
state
# pass in quick on $ext_if proto tcp from any to $ftp_server port > 49151
keep state
# pass out quick on $int_if proto tcp from any to $ftp_server port 21 keep
state
# pass out quick on $int_if proto tcp from any to $ftp_server port > 49151
keep state
# FTP na SERVER
# pass in quick on $ext_if proto tcp from any to $ext_if port ftp keep
state
# allow connections to passive ports (PASV)
# pass in quick on $ext_if proto tcp from any to $ext_if port > 49151 keep
state
#################################
# ODTUD JE UZ VSE ZAKAZANE ######
#################################
# generic rules for incoming/outgoing connections on ext_if
block in log on $ext_if all
block out log on $ext_if all
block in quick log from <blacklist> to any
block out quick log from any to <blacklist>
block in quick proto { tcp, udp } from any to any port $blocked_ports
# deny pakets which should not be seen on the internet
block in log quick from <spoofed> to any
block in log quick from any to <spoofed>
antispoof for $ext_if inet
# allow ICMP request/reply (ping)
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state
# povolene porty na server
#pass in quick on $ext_if proto tcp from any to $ext_if port 22 flags S/SA
keep state
pass in quick on $ext_if proto tcp from any to any port 22
pass in quick on $ext_if proto tcp from any to any port 80
### alow outgoing traffic with state ###
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
############################################################################
#######################################
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass out on $ext_if proto { tcp, udp } all keep state
# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
-----Original Message-----
From: users-l-bounces at freebsd.cz [mailto:users-l-bounces at freebsd.cz] On
Behalf Of Dan Lukes
Sent: Sunday, March 12, 2006 7:22 PM
To: FreeBSD mailing list
Subject: Re: Sifrovany nat a nebo Squid OPENVPN
Pentium napsal/wrote, On 03/12/06 17:54:
> Sun Mar 12 17:45:52 2006 us=460417 WARNING: --ping should normally be
> used with --ping-restart or --ping-exit Sun Mar 12 17:45:52 2006
> us=460652 WARNING: you are using user/group/chroot without
> persist-key/persist-tun -- this may cause restarts to fail Sun Mar 12
> 17:45:52 2006 us=464357 WARNING: file '/etc/openvpn/secret.key'
> is group or others accessible
Nebylo by, nez se obratis se zadosti o pomoc na verejnost lepsi
nejprve "vycistit" konfiguraci ?
Ja nebudu tvrdit, ze problem souvisi s nekterym z vyse uvedenych
varovani - ale prekvapuje me, ze ty jsi si tak jisty, ze s tim nesouvisi, ze
nepovazujes za nutne to opravit ...
> Ping 10.0.0.1 v tuto chvily nefunguje
Nevidim tu nikde ani stav routovacich tabulek, ani tcpdump ani nic
jineho co by umoznovalo analyzovat problem.
Takze nevime, jestli odesilany ping vubec zaleza do tunelu, jestli
tunel v okamziku pingu odesila nejaky paket, nevime, z tcpdumpu na druhe
strane, jestli tam zmineny paket dosel, jestli se z nej uspesne vybalil onen
ping, jestli na nej system odpovedel (nebo treba ne kvuli nejakemu
firewallu) a jak postup9ovala odpoved zase systemy a sitemi zpet.
> Pouzivam PF a tam mam toto pravidlo
> #povoleni VPN
> pass in quick on $ext_if inet proto udp from any to any port 5050
Je obvykle daleko vhodnejsi resit jedinny problem misto dvou
soucasne.
Nemyslim, ze tu nekdo z jedineho pravidla dokaze poznat, jestli firewall
dane pakety blokuje ci nikoliv (klidne je totiz buze blokovat pravidlo
jine).
Takze - bud' nam poskytnes kompletni konfiguraci. Nebo si musis byt
sam jisty, ze firewall nema na problem vliv. Takovehle "poloudaje" jsou
opravdu na kocku.
Ja ovsem doporucuji treti moznost - firewall po dobu pokusu zcela
otevrit. Pokdu to problem odstrani, je problem ve firewallu a je treba ho
hledat tam. Pokud to na problemu nic nemeneni, tak je aktualni problem
jinde.
Omlouvam se za ponekud ostrejsi odpoved, ale kdyz po nas nekdo chce
pomoc, mel by se mozna vic soustredit na to, aby byly poskytnuty pouzitelne
udaje - misto toho, aby se informace co nejvic orezany az na samou hranici
nepouzitelnosti. Chapu, ze je treba zabranit lidem v teto konferenci, aby
podnikli znicujici utoky na tebou spravovane site, kdybys peclive neukryl
udaj o skutecnych adresach, ale daleko radeji bych videl, kdybyses na to
vykaslal, protoze ti na ty stroje nikdo utocit nebude a misto toho usetreny
cas venoval na poskytnuti nejakych informaci, ktere by umoznily problem
skutecne resit a na vyreseni tech problemu s konfiguraci, na ktere
upozornuje software sam ...
Dan
--
Dan Lukes SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz,dan at kolej.mff.cuni.cz
--
FreeBSD mailing list (users-l at freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l
__________ Informace od NOD32 1.1439 (20060311) __________
Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz
More information about the Users-l
mailing list