netzwerk in einer jail

From: Michael Gusek <michael.gusek(at)web.de>
Date: Sun, 29 May 2005 12:52:48 +0200

Hi !
Ich bin grad dabei, auf meinem Rechner, ein jail einzurichten. Mein
Heimatnetzwerk hab ich im Raum 192.168.0.0/255.255.255.0 angesiedelt.
Die Jail hat die IP-Adresse 127.0.0.2:
ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.2 netmask 0xff000000

Die Jail selber läuft, in der /etc/resolv.conf hab ich meinen eigenen
Nameserver eingetragen:
search localnet.de
nameserver 192.168.0.1
In der Jail selber funktioniert ein nslookup www.heise.de. Aber ich kann
von dort keine Verbindung nach draussen aufnehmen:
fetch www.heise.de/index.html: Operation timed out

Ich glaube, es liegt an meiner Firewall, aber ich sehe nicht, wo das
Problem liegt. Deshalb poste ich mal meine Firewallregeln. fxp0 ist mein
internes Netz, xl0 geht nach draussen.
00100 divert 8668 ip from any to any via xl0
00200 deny ip from any to any not verrevpath in
00300 allow ip from any to any via lo0
00400 deny ip from any to 127.0.0.0/8
00500 deny ip from 127.0.0.0/8 to any
00600 deny ip from 10.0.0.0/8 to any via xl0
00700 deny ip from any to 10.0.0.0/8 via xl0
00800 deny ip from 172.16.0.0/12 to any via xl0
00900 deny ip from any to 172.16.0.0/12 via xl0
01000 deny ip from 192.168.0.0/24 to any in via xl0
01100 deny ip from 192.168.0.0/24 to 192.168.0.0/24 via xl0
01200 deny ip from any to 0.0.0.0/8 via xl0
01300 deny ip from any to 169.254.0.0/16 via xl0
01400 deny ip from any to 192.0.2.0/24 via xl0
01500 deny ip from any to 224.0.0.0/4 via xl0
01600 deny ip from any to 240.0.0.0/4 via xl0
01700 allow ip from any to any via fxp0
01800 deny tcp from any to any in via xl0 frag
01900 deny tcp from any to any dst-port 135,137-139,445 via xl0
02000 deny udp from any to any dst-port 135,137-139,445 via xl0
02100 allow icmp from { me or 192.168.0.0/24 } to any out via xl0
02200 allow icmp from any to { me or dst-ip 192.168.0.0/24 } in via xl0
icmptypes 0,3,4,8,11,12
02300 allow tcp from any to me dst-port 993 in via xl0
02400 reset tcp from any to any dst-port 113
02500 allow tcp from 192.168.0.5 to any out via xl0
02600 allow tcp from any to 192.168.0.5 dst-port 1024-65535 in via xl0
02700 allow udp from 192.168.0.5 to any out via xl0
02800 allow udp from any to 192.168.0.5 dst-port 1024-65535 in via xl0
02900 check-state
03000 deny log logamount 100 ip from any to any in via xl0 established
03100 allow ip from me to any dst-port 53 via xl0 keep-state
03200 allow tcp from any to me dst-port 22 in via xl0 keep-state
61000 allow tcp from any to any out via xl0 keep-state
61010 allow udp from any to any out via xl0 keep-state
65000 deny log logamount 100 ip from any to any
65535 deny ip from any to any

Hat jemand von euch eine Idee ?

Michael Gusek

To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Sun 29 May 2005 - 12:53:41 CEST

search this site