论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2005-08-26 18:20 |只看该作者 |倒序浏览

刚接触PF，边学边写的一个规则

有几个问题，请大家看看
1、ext_if 必须允许from any to any port 80的数据报进入，否则DMZ服务器不能访问，改目标地址为dmz服务器的外网地址就不行
2、内网用户能ping通DMZ服务器内网地址，但不能用服务器的内网地址10.1.1.10访问web服务,只能用外网地址

电信
\
\
\ fxp0 222.222.222.209/28
__\______
| |
| PF防火墙|
|_________|
fxp1/ \fxp2
/ \
/ \
DMZ / \内网
servip:10.1.1.10 192.168.0.0/24

复制代码

rc.conf

defaultrouter="222.222.222.209"
hostname="www.kkkk.net"
ifconfig_fxp0="inet 222.222.222.219 netmask 255.255.255.240"
ifconfig_fxp0_alias0="inet 222.222.222.220 netmask 255.255.255.240"
ifconfig_fxp1="inet 10.1.1.20 netmask 255.255.255.224"
ifconfig_fxp2="inet 192.168.0.1 netmask 255.255.255.0"
linux_enable="YES"
sshd_enable="YES"
inetd_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

复制代码

pf.conf

ext_if="fxp0"
int_if="fxp2"
dmz_if="fxp1"
serv_intip="10.1.1.10"
serv_extip="222.222.222.220"
priv_net="{127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
icmp_types="echoreq"
drop_tcpports="{135,139,445,9996,593,6667,15436,137}"
drop_udpports="{135,139,445,5554,9996,593,137}"
set limit { states 100000, frags 50000 }
set loginterface fxp0
set optimization aggressive
set block-policy drop
scrub on $ext_if all reassemble tcp
#NAT规则
nat on $ext_if from $int_if:network to any ->; $ext_if:0
binat on $ext_if from $serv_intip to any ->; $serv_extip
rdr on {$int_if,$dmz_if} proto tcp from any to any port 21 ->; 127.0.0.1 port 8021
rdr on $int_if proto tcp from $int_if:network to $serv_extip port 80 ->; 127.0.0.1 port 9000
#过滤规则
block all
pass quick on lo0 all
block in quick on $ext_if from $priv_net to any
block out quick on $ext_if from any to $priv_net
block quick on {$ext_if,$int_if,$dmz_if} proto tcp from any to any port $drop_tcpports
block quick on {$ext_if,$int_if,$dmz_if} proto udp from any to any port $drop_udpports
pass in quick on $int_if proto {tcp,udp,icmp} from $int_if:network to any modulate state
pass out quick on $ext_if proto {tcp,udp,icmp} from $ext_if:network to any modulate state
pass in quick on $ext_if inet proto icmp from any to any icmp-type $icmp_types keep state
pass in quick on $ext_if proto tcp from any to $ext_if:0 port 22 flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass out quick on $dmz_if proto tcp from any to $serv_intip port 80 synproxy state
pass in quick on $dmz_if proto {tcp,udp,icmp} from $dmz_if:network to any modulate state
pass out quick on $dmz_if inet proto icmp from any to $dmz_if:network icmp-type $icmp_types keep state

复制代码

文库|博客

zayi

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2005-08-27 00:10 |只看该作者

pf+nat+dmz 问题求助

自己顶，用PF的朋友帮帮忙呀

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

congli

版主

论坛徽章:: 1

3楼 [报告]

发表于 2005-08-27 07:56 |只看该作者

pf+nat+dmz 问题求助

感觉访问DMZ路径是:内网->;外网->;DMZ.所以内网能Ping,不能直接访问Web

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

building

丰衣足食

论坛徽章:: 0

4楼 [报告]

发表于 2005-08-27 08:45 |只看该作者

pf+nat+dmz 问题求助

内网到DMZ是要路由的

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

zayi

白手起家

论坛徽章:: 0

5楼 [报告]

发表于 2005-08-27 10:40 |只看该作者

pf+nat+dmz 问题求助

内网到dmz能ping通，还需要路由吗？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

congli

版主

论坛徽章:: 1

6楼 [报告]

发表于 2005-08-27 10:48 |只看该作者

pf+nat+dmz 问题求助

Ping:内网->;外网->;DMZ

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

zayi

白手起家

论坛徽章:: 0

7楼 [报告]

发表于 2005-08-27 11:16 |只看该作者

pf+nat+dmz 问题求助

我在内网用tracert 10.1.1.10 可以看到路由是从内网—网关—DMZ

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

zayi

白手起家

论坛徽章:: 0

8楼 [报告]

发表于 2005-08-27 19:56 |只看该作者

pf+nat+dmz 问题求助

我的理解是这样的

要让外网能够访问dmz服务器80端口，首先必须要有一个外网地址与其映射

binat on $ext_if from $serv_intip to any ->; $serv_extip

复制代码

然后在外网接口上要允许目标地址为DMZ外网IP PORT 80的数据包进入防火墙（这里是any to any 应该限制到目标地址）

pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state

复制代码

数据包进入防火墙后，通过rdr，找到与之对应的是DMZ下私有地址10.1.1.10，最后允许数据包从DMZ接口出去到达dmz服务器 10.1.1.10

pass out quick on $dmz_if proto tcp from any to $serv_intip port 80 synproxy state

复制代码

内网用户访问DMZ服务器内部IP时，首先在内网接口上允许内网对目标为any的{tcp,udp,icmp}访问进入防火墙

pass in quick on $int_if proto {tcp,udp,icmp} from int_if:network to any modulate state

复制代码

然后允许数据包从DMZ接口出去到达dmz服务器 10.1.1.10

pass out quick on $dmz_if proto tcp from any to $serv_intip port 80 synproxy state

复制代码

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

硬-盘

稍有积蓄

论坛徽章:: 0

9楼 [报告]

发表于 2005-08-28 20:09 |只看该作者

pf+nat+dmz 问题求助

#firewall by tds 20050601

#macros
wanif="fxp0"
lanif="fxp1"
dmzif="fxp2"
tcpsrv="{22,113}"
lan0="{192.168.0.0/27}"
lan1="{192.168.1.0/24}"
lan2="{192.168.2.0/24}"
lan3="{192.168.3.0/24}"
wwwsrv="192.168.10.254"
ftpsrv="192.168.0.8"
bt1="192.168.0.25"
bt2="192.168.0.26"
bt3="192.168.0.27"
noroute="{127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"

#options
set block-policy return
set loginterface $wanif
set optimization aggressive

#scrub
scrub in all

#nat and rdr
nat on $wanif from $lan0 to any ->; $wanif
#nat on $wanif from $lan3 to any ->; $wanif
#nat on $wanif from $lan1 to any ->; $wanif
#nat on $wanif from $lan2 to any ->; $wanif

rdr on $wanif proto tcp from any to any port 80 ->; $wwwsrv
rdr on $wanif proto tcp from any to any port 554 ->; $wwwsrv
rdr on $wanif proto tcp from any to any port 5500 ->; $wwwsrv
rdr on $wanif proto tcp from any to any port 21 ->; $ftpsrv
rdr on $wanif proto tcp from any to any port 1433 ->; $ftpsrv
rdr on $wanif proto tcp from any to any port 19999 ->; $bt1
rdr on $wanif proto tcp from any to any port 18888 ->; $bt2
rdr on $wanif proto tcp from any to any port 20000 ->; $bt3
rdr on $wanif proto tcp from any to any port 4662 ->; $bt2
rdr on $wanif proto tcp from any to any port 4663 ->; $bt3
rdr on $wanif proto tcp from any to any port 3389 ->; $bt2

#filter rules
block all
block drop in quick on $wanif from $noroute
block drop out quick on $wanif from any to $noroute
block drop out quick on $wanif from any to 202.103.67.53
pass quick on lo0 all
pass in quick on $lanif from $lanif:network to any keep state
pass out quick on $lanif from any to $lanif:network keep state

pass out quick on $dmzif proto tcp from any to $wwwsrv port {80,554,5500} flags S/SA keep state
pass out quick on $dmzif proto tcp from $bt2 to $wwwsrv port {20,21,3389} flags S/SA keep state
pass in quick on $dmzif from $dmzif:network to any keep state

pass in quick on $wanif proto tcp from any to $wanif port $tcpsrv flags S/SA keep state
pass in quick on $wanif proto tcp from any to $wwwsrv port 80 flags S/SA synproxy state
pass in quick on $wanif proto tcp from any to $wwwsrv port {554,5500} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $ftpsrv port 21 flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt1 port 19999 flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt2 port {20,4662,3389,18888} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt3 port {4663,20000} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $ftpsrv port 1433 flags S/SA keep state
pass out on $wanif proto tcp all flags S/SA keep state
pass out on $wanif proto {udp,icmp} all keep state

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 操作系统 › BSD › pf+nat+dmz 问题求助

pf+nat+dmz 问题求助 [复制链接]

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

pf+nat+dmz 问题求助

浏览过的版块