Hi allerseits,
irgendwie folgt immer ein Problem aufs nächste mit den Jails :-).
Szenario:
FreeBSD 5.4
2 Netzwerkkarten
1 fürs DSL
1 mit 192.168.20.1
Auf der internen habe ich nun noch die 192.168.20.200 gebunden für das jail.
In der resolv.conv steht nameserver 192.168.20.1
Soweit sogut. Namensauflösung tut also.
Aber:
Wenn ich nun versuche eine ssh oder ftp Verbindung vom Jails aus nach aussen zu machen, funktiniert das nicht. Ich bekomme immer timeouts.
Hier noch die rc.firewall:
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
${fwcmd} -f flush
case ${firewall_type} in
[Ff][Ww][Ss])
oif="tun0"
iif="vr1"
inet="192.168.20.0"
imask="255.255.255.0"
iip="192.168.20.1"
${fwcmd} add 10 deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 11 deny log all from any to ${inet}:${imask} in via ${oif}
${fwcmd} add 12 deny all from me to any in via ${oif}
${fwcmd} add 51 allow all from 127.0.0.1 to 127.0.0.1
${fwcmd} add 52 allow all from ${inet}:${imask} to ${inet}:${imask}
${fwcmd} add 53 allow all from any to 255.255.255.255 via 'vr1'
${fwcmd} add 54 allow all from 255.255.255.255 to any via 'vr1'
${fwcmd} add 60 check-state
${fwcmd} add 100 reset tcp from any to me 113
${fwcmd} add 101 pass all from me to any keep-state
${fwcmd} add 102 allow tcp from any to me 22 in via ${oif} keep-state
${fwcmd} add 103 allow tcp from any to me 123 in via ${oif} keep-state
${fwcmd} add 104 allow udp from any to me 500 in via ${oif} keep-state
${fwcmd} add 105 allow tcp from any to me 1723 in via ${oif} keep-state
${fwcmd} add 110 divert 32002 ip from ${inet}:${imask} to any out via ${
${fwcmd} add 111 divert 32003 ip from any to any in via ${oif}
# Deny ping from extern over tun0 and log most
${fwcmd} 120 add deny log icmp from any to any in via tun0 icmptype 8
${fwcmd} 121 add allow icmp from any to any out via tun0 icmptype 8
${fwcmd} 122 add allow icmp from any to any in via tun0 icmptype 0
${fwcmd} 123 add allow icmp from any to any via tun0 icmptype 11
${fwcmd} 124 add allow icmp from any to any via tun0 icmptype 3
${fwcmd} 125 add allow log icmp from any to any via tun0
${fwcmd} 126 add allow icmp from any to any
# Allow any to me global for internal Traffic
#${fwcmd} add 135 allow all from ${inet}:${imask} to any
${fwcmd} add 130 allow all from me to any
# Allow http/https to extern
${fwcmd} add 150 allow tcp from ${inet}:${imask} to any 80
${fwcmd} add 151 allow tcp from ${inet}:${imask} to any 81
${fwcmd} add 152 allow tcp from ${inet}:${imask} to any 443
${fwcmd} add 153 allow tcp from ${inet}:${imask} to any 8080
# Allow http to intern
${fwcmd} add 155 allow tcp from any to me 80
# Allow email/news
${fwcmd} add 160 pass tcp from any to me 25 setup
${fwcmd} add 161 pass tcp from ${inet}:${imask} to any 25
${fwcmd} add 162 pass tcp from ${inet}:${imask} to any 110
${fwcmd} add 163 pass tcp from ${inet}:${imask} to any 119
# Allow telnet/ssh to outside
${fwcmd} add 170 pass tcp from ${inet}:${imask} to any 23
${fwcmd} add 171 pass tcp from ${inet}:${imask} to any 22
# Allow ftp
${fwcmd} add 200 pass tcp from ${inet}:${imask} to any 21
${fwcmd} add 201 pass tcp from ${inet}:${imask} to any 20
# Allow IPSEC/VPN
#${fwcmd} add 210 pass tcp from ${inet}:${imask} to any 1723
${fwcmd} add 211 pass udp from ${inet}:${imask} to any 500
# Allow Traffic from I-Net
${fwcmd} add 60000 allow tcp from any to ${inet}:${imask}
${fwcmd} add 60001 allow udp from any to ${inet}:${imask}
${fwcmd} add 65534 deny log ip from any to any
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
Die rc.firewall deswegen, weil ich vielleicht da einen Fehler gemacht habe.
Ich danke schonmal für die Antworten,
Grüße Dejan
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Thu 11 May 2006 - 18:12:19 CEST