Jail+Internet die 2te

From: Dejan Grujin <dgrujin(at)edv-dg.de>
Date: Sun, 14 May 2006 23:21:23 +0200



Hi allerseits,



nachdem ich nun viel rumgetüftelt habe, habe ich wohl den Fehler gefunden, bzw ich weiss wo er liegt, weiss aber nicht genau, wie ich jetzt Abhilfe schaffen kann.



Nochmal zur HW:


Rechner über tun0 und dyndns am Netz.


Interne Netzwerkkarte vr1.


Daran 1 alias 192.168.20.200 Jail


1 IP 192.168.20.1



Natd funtkioniert einwandfrei.


Ich habe ein rc.firewall script genommen, in dem nur ein allow all from any to any stand, incl des divert, und siehe da, der Webserver ist von extern erreichbar.



Nehme ich wieder meine rc.firewall tut's nimmer. Somit lag ich fast richtig und es liegt wohl irgendwo an der fw.



Kann da jemand den Fehler finden?



if [ -z "${source_rc_confs_defined}" ]; then


        if [ -r /etc/defaults/rc.conf ]; then


                . /etc/defaults/rc.conf


                source_rc_confs


        elif [ -r /etc/rc.conf ]; then


                . /etc/rc.conf


        fi


fi



if [ -n "${1}" ]; then


        firewall_type="${1}"


fi



case ${firewall_quiet} in


[Yy][Ee][Ss])


        fwcmd="/sbin/ipfw -q"


        ;;


*)


        fwcmd="/sbin/ipfw"


        ;;


esac



${fwcmd} -f flush



case ${firewall_type} in



[Ii][Cc][Ee])


        oif="tun0"



        iif="vr1"


        inet="192.168.20.0"


        imask="255.255.255.0"


        iip="192.168.20.1"



        ${fwcmd} add 10 deny log all from ${inet}:${imask} to any in via ${oif}


        ${fwcmd} add 11 deny log all from any to ${inet}:${imask} in via ${oif}


        ${fwcmd} add 12 deny all from me to any in via ${oif}


        ${fwcmd} add 51 allow all from 127.0.0.1 to 127.0.0.1


        ${fwcmd} add 52 allow all from ${inet}:${imask} to ${inet}:${imask}


        ${fwcmd} add 53 allow all from any to 255.255.255.255 via 'vr1'


        ${fwcmd} add 54 allow all from 255.255.255.255 to any via 'vr1'


        ${fwcmd} add 60 check-state



        ${fwcmd} add 100 reset tcp from any to me 113


        ${fwcmd} add 101 pass all from me to any keep-state


        ${fwcmd} add 102 allow tcp from any to me 22 in via ${oif} keep-state


        ${fwcmd} add 103 allow tcp from any to me 123 in via ${oif} keep-state


        ${fwcmd} add 104 allow udp from any to me 500 in via ${oif} keep-state


        ${fwcmd} add 105 allow tcp from any to me 1723 in via ${oif} keep-state



${fwcmd} add 110 divert 32002 ip from ${inet}:${imask} to any out via ${oif}


        ${fwcmd} add 111 divert 32003 ip from any to any in via ${oif}



        # Deny ping from extern over tun0 and log most


        ${fwcmd} 120 add deny log icmp from any to any in via tun0 icmptype 8


        ${fwcmd} 121 add allow icmp from any to any out via tun0 icmptype 8


        ${fwcmd} 122 add allow icmp from any to any in via tun0 icmptype 0


        ${fwcmd} 123 add allow icmp from any to any via tun0 icmptype 11


        ${fwcmd} 124 add allow icmp from any to any via tun0 icmptype 3


        ${fwcmd} 125 add allow log icmp from any to any via tun0


        ${fwcmd} 126 add allow icmp from any to any



        # Allow any to me global for internal Traffic


        #${fwcmd} add 135 allow all from ${inet}:${imask} to any


        ${fwcmd} add 130 allow all from me to any



        # Allow http/https to extern


        ${fwcmd} add 150 allow tcp from ${inet}:${imask} to any 80


        ${fwcmd} add 151 allow tcp from ${inet}:${imask} to any 81


        ${fwcmd} add 152 allow tcp from ${inet}:${imask} to any 443


        ${fwcmd} add 153 allow tcp from ${inet}:${imask} to any 8080



        # Allow email/news


        ${fwcmd} add 160 pass tcp from any to me 25 setup


        ${fwcmd} add 161 pass tcp from ${inet}:${imask} to any 25


        ${fwcmd} add 162 pass tcp from ${inet}:${imask} to any 110


        ${fwcmd} add 163 pass tcp from ${inet}:${imask} to any 119



        # Allow telnet/ssh to outside


        ${fwcmd} add 170 pass tcp from ${inet}:${imask} to any 23


        ${fwcmd} add 171 pass tcp from ${inet}:${imask} to any 22



        # Allow ftp


        ${fwcmd} add 200 pass tcp from ${inet}:${imask} to any 21


        ${fwcmd} add 201 pass tcp from ${inet}:${imask} to any 20



        # Allow IPSEC/VPN


        #${fwcmd} add 210 pass tcp from ${inet}:${imask} to any 1723


        ${fwcmd} add 211 pass udp from ${inet}:${imask} to any 500



        # Allow Traffic from I-Net


        ${fwcmd} add 60000 allow tcp from any to ${inet}:${imask}


        ${fwcmd} add 60001 allow udp from any to ${inet}:${imask}



        ${fwcmd} add 65534 deny log ip from any to any


        ;;



*)


        if [ -r "${firewall_type}" ]; then


                ${fwcmd} ${firewall_flags} ${firewall_type}


        fi


        ;;


esac



Ich danke schon im VOraus für die Lösungsansätze.



Grüße Dejan



To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org


with "unsubscribe de-bsd-questions" in the body of the message


Received on Sun 14 May 2006 - 23:22:38 CEST













search this site