netzwerk in einer jail

From: Michael Gusek <michael.gusek(at)web.de>
Date: Sun, 29 May 2005 12:52:48 +0200



Hi !


Ich bin grad dabei, auf meinem Rechner, ein jail einzurichten. Mein 


Heimatnetzwerk hab ich im Raum 192.168.0.0/255.255.255.0 angesiedelt. 


Die Jail hat die IP-Adresse 127.0.0.2:


ifconfig lo0


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384


        inet 127.0.0.1 netmask 0xff000000


        inet6 ::1 prefixlen 128


        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3


        inet 127.0.0.2 netmask 0xff000000



Die Jail selber läuft, in der /etc/resolv.conf hab ich meinen eigenen 


Nameserver eingetragen:


search localnet.de


nameserver 192.168.0.1


In der Jail selber funktioniert ein nslookup www.heise.de. Aber ich kann 


von dort keine Verbindung nach draussen aufnehmen:


fetch www.heise.de/index.html: Operation timed out



Ich glaube, es liegt an meiner Firewall, aber ich sehe nicht, wo das 


Problem liegt. Deshalb poste ich mal meine Firewallregeln. fxp0 ist mein 


internes Netz, xl0 geht nach draussen.


00100  divert 8668 ip from any to any via xl0


00200  deny ip from any to any not verrevpath in


00300  allow ip from any to any via lo0


00400  deny ip from any to 127.0.0.0/8


00500  deny ip from 127.0.0.0/8 to any


00600  deny ip from 10.0.0.0/8 to any via xl0


00700  deny ip from any to 10.0.0.0/8 via xl0


00800  deny ip from 172.16.0.0/12 to any via xl0


00900  deny ip from any to 172.16.0.0/12 via xl0


01000  deny ip from 192.168.0.0/24 to any in via xl0


01100  deny ip from 192.168.0.0/24 to 192.168.0.0/24 via xl0


01200  deny ip from any to 0.0.0.0/8 via xl0


01300  deny ip from any to 169.254.0.0/16 via xl0


01400  deny ip from any to 192.0.2.0/24 via xl0


01500  deny ip from any to 224.0.0.0/4 via xl0


01600  deny ip from any to 240.0.0.0/4 via xl0


01700  allow ip from any to any via fxp0


01800  deny tcp from any to any in via xl0 frag


01900  deny tcp from any to any dst-port 135,137-139,445 via xl0


02000  deny udp from any to any dst-port 135,137-139,445 via xl0


02100  allow icmp from { me or 192.168.0.0/24 } to any out via xl0


02200  allow icmp from any to { me or dst-ip 192.168.0.0/24 } in via xl0 


icmptypes 0,3,4,8,11,12


02300  allow tcp from any to me dst-port 993 in via xl0


02400  reset tcp from any to any dst-port 113


02500  allow tcp from 192.168.0.5 to any out via xl0


02600  allow tcp from any to 192.168.0.5 dst-port 1024-65535 in via xl0


02700  allow udp from 192.168.0.5 to any out via xl0


02800  allow udp from any to 192.168.0.5 dst-port 1024-65535 in via xl0


02900  check-state


03000  deny log logamount 100 ip from any to any in via xl0 established


03100  allow ip from me to any dst-port 53 via xl0 keep-state


03200  allow tcp from any to me dst-port 22 in via xl0 keep-state


61000  allow tcp from any to any out via xl0 keep-state


61010  allow udp from any to any out via xl0 keep-state


65000  deny log logamount 100 ip from any to any


65535  deny ip from any to any



Hat jemand von euch eine Idee ?



Michael Gusek



To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org


with "unsubscribe de-bsd-questions" in the body of the message


Received on Sun 29 May 2005 - 12:53:41 CEST













search this site