Sifrovany nat a nebo Squid OPENVPN doplneno
Pentium
pentium.konference at seznam.cz
Mon Mar 13 21:33:34 CET 2006
Tak problem byl ve firewallu ted uz opravdu vse jede tim myslim vzajemny
ping mezi stanicema
ted jde o to jak zakodovat provoz bud celeho natu a nebo alspon HTTP
Ceho chci dosahnout
LAN (192.168.1.x) - SERVER1 Freebsd Wifi Nat Transparent proxy ----
Internet chci mit kodovane --- Server2 Freebsd Nat Proxy ----- Internet uz
nekodovany
Pro uplnost prikladam client
remote 62.2.73.211
dev tun
ifconfig 10.0.0.2 10.0.0.1
secret secret.key
Server
dev tun
ifconfig 10.0.0.1 10.0.0.2
secret secret.keyp
A muj PF snad trochu upravenej
# Macros: define common values, so they can be referenced and changed
easily.
ext_if="wi0" # replace with actual external interface name i.e., rl0
int_if="rl0" # replace with actual internal interface name i.e., dc1
int_if2="rl1" # replace with actual internal interface name i.e., dc1
int_ssh="tun0"
internal_net="192.168.1.0/24"
#external_addr="192.168.144.172"
external_addr="10.102.41.172"
# Tables: similar to macros, but more flexible for many addresses.
table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
table <trusted_hosts> { }
table <spoofed> { 127.0.0.1/8, !192.168.1.0/24, 192.168.0.0/16,
172.16.0.0/12, 224.0.0.0/3, 10.0.0.0/8 }
table <blacklist> { }
icmp_types = "echoreq"
blocked_ports="{ 135, 137 >< 139, 445 }"
scrub in all
#nat on $ext_if from $internal_net to any -> ($ext_if)
#nat on $ext_if from 192.168.1.1 to any -> ($int_ssh)
nat on $ext_if from 192.168.1.45 to any -> ($ext_if)
nat on $ext_if from 192.168.1.1 to any -> ($ext_if)
###############################
#### Redirect ################
###############################
# rdr outgoing FTP requests to the ftp-proxy
# rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
# rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.1 port 80
#Povoleni VNC
# rdr on $ext_if proto tcp from any to any port 5900 -> 192.168.1.1 port
5900
# rdr on $ext_if proto tcp from any to any port 5800 -> 192.168.1.1 port
5800
# Povoleni statistiky
rdr on $int_if inet proto tcp from 192.168.1.1 to 192.168.144.129 port 80 ->
192.168.144.129 port 80
# Transparent Proxy
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
rdr on $int_if2 inet proto tcp from any to any port www -> 127.0.0.1 port
3128
# Filtering: the implicit first two rules are
pass in all
pass out all
# allow loopback packets
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on $int_ssh proto { udp, icmp } all keep state
pass in quick on $int_ssh proto { udp, icmp } all keep state
pass out quick on $ext_if proto { udp, icmp } all keep state
pass in quick on $ext_if proto { udp, icmp } all keep state
##################################
######## POVOLENE PORTY ##########
##################################
# povoleni VPN
# pass in quick on $ext_if inet proto udp from any to any
# pass out quick on $ext_if inet proto udp from any to any
# pass in quick inet proto udp from any to (self) port 1194 keep state
# SSH Dovnitr jen z jedne IP
pass in quick on $ext_if proto tcp from 62.245.73.216 to $ext_if port 22
keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 22 keep state
# allow ICMP request/reply (ping)
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state
# Transparent Proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128
keep state
pass in quick on $int_if2 inet proto tcp from any to 127.0.0.1 port 3128
keep state
# Povoleni statistiky
pass in quick on $int_if inet proto tcp from 192.168.1.1 to
192.168.144.129 port 80 keep state
pass in quick on $int_if inet proto tcp from 192.168.1.1 to 10.102.41.1
port 80 keep state
# Povoleno pro komunikaci Proxy servru venku
pass in quick on $ext_if inet proto tcp from 62.245.73.216 to any port 82
keep state
# Povoleni VZDALENEJ ACCES na 192.168.1.1
# pass in quick on $ext_if proto tcp from any to $ext_if port 5900 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5900 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 5800 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 5800 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to $ext_if port 3389 flags
S/SA keep state
# pass in quick on $ext_if proto tcp from any to 192.168.1.1 port 3389 flags
S/SA keep state
#################################
# ODTUD JE UZ VSE ZAKAZANE ######
#################################
# generic rules for incoming/outgoing connections on ext_if
block in log on $ext_if all
block out log on $ext_if all
block in quick log from <blacklist> to any
block out quick log from any to <blacklist>
block in quick proto { tcp, udp } from any to any port $blocked_ports
block in log quick from <spoofed> to any
block in log quick from any to <spoofed>
antispoof for $ext_if inet
# allow ICMP request/reply (ping)
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep
state
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
More information about the Users-l
mailing list