Jail+Internet

From: Dejan Grujin <dgrujin(at)edv-dg.de>
Date: Thu, 11 May 2006 18:11:07 +0200



Hi allerseits,



irgendwie folgt immer ein Problem aufs nächste mit den Jails :-).


Szenario:


FreeBSD 5.4


2 Netzwerkkarten


1 fürs DSL


1 mit 192.168.20.1



Auf der internen habe ich nun noch die 192.168.20.200 gebunden für das jail.



In der resolv.conv steht nameserver 192.168.20.1


Soweit sogut. Namensauflösung tut also.


Aber:


Wenn ich nun versuche eine ssh oder ftp Verbindung vom Jails aus nach aussen zu machen, funktiniert das nicht. Ich bekomme immer timeouts.



Hier noch die rc.firewall:


if [ -z "${source_rc_confs_defined}" ]; then


        if [ -r /etc/defaults/rc.conf ]; then


                . /etc/defaults/rc.conf


                source_rc_confs


        elif [ -r /etc/rc.conf ]; then


                . /etc/rc.conf


        fi


fi



if [ -n "${1}" ]; then


        firewall_type="${1}"


fi



case ${firewall_quiet} in


[Yy][Ee][Ss])


        fwcmd="/sbin/ipfw -q"


        ;;


*)


        fwcmd="/sbin/ipfw"


        ;;


esac



${fwcmd} -f flush



case ${firewall_type} in



[Ff][Ww][Ss])


        oif="tun0"



        iif="vr1"


        inet="192.168.20.0"


        imask="255.255.255.0"


        iip="192.168.20.1"



        ${fwcmd} add 10 deny log all from ${inet}:${imask} to any in via ${oif}


        ${fwcmd} add 11 deny log all from any to ${inet}:${imask} in via ${oif}


        ${fwcmd} add 12 deny all from me to any in via ${oif}


${fwcmd} add 51 allow all from 127.0.0.1 to 127.0.0.1


        ${fwcmd} add 52 allow all from ${inet}:${imask} to ${inet}:${imask}


        ${fwcmd} add 53 allow all from any to 255.255.255.255 via 'vr1'


        ${fwcmd} add 54 allow all from 255.255.255.255 to any via 'vr1'


        ${fwcmd} add 60 check-state



        ${fwcmd} add 100 reset tcp from any to me 113


        ${fwcmd} add 101 pass all from me to any keep-state


        ${fwcmd} add 102 allow tcp from any to me 22 in via ${oif} keep-state


        ${fwcmd} add 103 allow tcp from any to me 123 in via ${oif} keep-state


        ${fwcmd} add 104 allow udp from any to me 500 in via ${oif} keep-state


        ${fwcmd} add 105 allow tcp from any to me 1723 in via ${oif} keep-state



        ${fwcmd} add 110 divert 32002 ip from ${inet}:${imask} to any out via ${


        ${fwcmd} add 111 divert 32003 ip from any to any in via ${oif}



        # Deny ping from extern over tun0 and log most


        ${fwcmd} 120 add deny log icmp from any to any in via tun0 icmptype 8


        ${fwcmd} 121 add allow icmp from any to any out via tun0 icmptype 8


        ${fwcmd} 122 add allow icmp from any to any in via tun0 icmptype 0


        ${fwcmd} 123 add allow icmp from any to any via tun0 icmptype 11


        ${fwcmd} 124 add allow icmp from any to any via tun0 icmptype 3


        ${fwcmd} 125 add allow log icmp from any to any via tun0


        ${fwcmd} 126 add allow icmp from any to any



        # Allow any to me global for internal Traffic


        #${fwcmd} add 135 allow all from ${inet}:${imask} to any


        ${fwcmd} add 130 allow all from me to any



        # Allow http/https to extern


        ${fwcmd} add 150 allow tcp from ${inet}:${imask} to any 80


        ${fwcmd} add 151 allow tcp from ${inet}:${imask} to any 81


        ${fwcmd} add 152 allow tcp from ${inet}:${imask} to any 443


        ${fwcmd} add 153 allow tcp from ${inet}:${imask} to any 8080



        # Allow http to intern


        ${fwcmd} add 155 allow tcp from any to me 80



        # Allow email/news


        ${fwcmd} add 160 pass tcp from any to me 25 setup


        ${fwcmd} add 161 pass tcp from ${inet}:${imask} to any 25


        ${fwcmd} add 162 pass tcp from ${inet}:${imask} to any 110


        ${fwcmd} add 163 pass tcp from ${inet}:${imask} to any 119



        # Allow telnet/ssh to outside


        ${fwcmd} add 170 pass tcp from ${inet}:${imask} to any 23


        ${fwcmd} add 171 pass tcp from ${inet}:${imask} to any 22



        # Allow ftp


        ${fwcmd} add 200 pass tcp from ${inet}:${imask} to any 21


        ${fwcmd} add 201 pass tcp from ${inet}:${imask} to any 20



        # Allow IPSEC/VPN


        #${fwcmd} add 210 pass tcp from ${inet}:${imask} to any 1723


        ${fwcmd} add 211 pass udp from ${inet}:${imask} to any 500



        # Allow Traffic from I-Net


        ${fwcmd} add 60000 allow tcp from any to ${inet}:${imask}


        ${fwcmd} add 60001 allow udp from any to ${inet}:${imask}



        ${fwcmd} add 65534 deny log ip from any to any


        ;;



*)


        if [ -r "${firewall_type}" ]; then


                ${fwcmd} ${firewall_flags} ${firewall_type}


        fi


        ;;


esac



Die rc.firewall deswegen, weil ich vielleicht da einen Fehler gemacht habe.



Ich danke schonmal für die Antworten,



Grüße Dejan



To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org


with "unsubscribe de-bsd-questions" in the body of the message


Received on Thu 11 May 2006 - 18:12:19 CEST













search this site