SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 05:20 AM
| ||||
| ||||
 Block rule not working Hello Everyone If this kind of subject is answered somewhere I apologize for this.I am trying to setup openBSD3.4 with 2 nics, one is external interface with NAT and another internal interface for LAN which shares internet through external interface And Proxy Server. LAN users need to define proxy for connecting net and as gateway f/w's internal IP. In LAN I want to define policy for certain IP for mail, web and chat access. And rest of the non defined IP will be blocked. I had the following rules , in which for mailusers it's working but anyone from the network can access to web. -------------------------------------------------------------------------------------------- # ext_if = "rl0" int_if = "rl1" # 192.168.5.1/32 proxy_ip= "192.168.50.2" int_lan = "192.168.5.0/24" # icmp_types = "echoreq" mail_ports = "{ 25, 110 }" irc_ports = "{ 1863, 5050 }" Proto = "{ tcp,udp }" web_ports = "{ 80, 443 }" tcp_services= "{ 22, 23 }" # table <webusers> { 192.168.5.2/32, 192.168.5.3/32, 192.168.5.4/32, !192.168.5.0/25 } table <mailusers> { 192.168.5.6/32 } table <im> { 192.168.5.30/32 } # table <bogusip> { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/13, 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23,/ 224.0.0.0/3, 255.255.255.255/32 } # Optimization # # Noramlization scrub all ## Queueing ## ############## # Translation no nat on rl0 proto ah from 192.168.5.0/24 to any nat on rl0 from 192.168.5.0/24 to any -> (rl0) # Redirection no rdr on $int_if inet proto tcp from $proxy_ip to any port 80 rdr on $int_if inet proto tcp from 192.168.5.0/24 to any \ port 80 -> $proxy_ip port 80 # Packet Filtering ## Default Policy block in all # Do not allow spoofing of private block addresses (in or out) block in log quick on $ext_if from <bogsip> to any block out quick on $ext_if from any to <bogusip> # block quick proto udp from any port { 137, 138 } block quick proto udp to any port { 137, 138 } # block IRC ports block out on $ext_if proto $Proto from <im> to any port $irc_ports block in on $ext_if proto $Proto from <im> to any port $irc_ports #allow ICMP traffic pass in inet proto icmp all icmp-type $icmp_types keep state #allow web browsing from localnet pass in quick on $int_if proto udp from <webusers> to any port=53 \ keep state queue webusers pass in quick on $int_if proto tcp from <webusers> to any port $web_ports \ flags S/SA keep state queue webusers #allow only mail access pass out on $int_if proto tcp from <mailusers> to any flags S/SA keep state \ queue mail pass in on $int_if proto tcp from <mailusers> to any port $mail_ports \ flags S/SA keep state queue mail # SSH Connection pass in on $int_if inet proto tcp from 192.168.5.1 to any \ port $tcp_services flags S/SA keep state pass in on $int_if inet proto tcp from 192.168.5.2 to any \ port $tcp_services flags S/SA keep state ------------------------------------------------------------------------------- Appreciate if someone could figure out my mistake in the config. Thanks Balen.      |
|
02-16-2008, 05:23 AM
| ||||
| ||||
| Re: Block rule not working Balen wrote: > Hello Everyone > > If this kind of subject is answered somewhere I apologize for this.I > am trying to setup openBSD3.4 with 2 nics, one is external interface > with NAT and another internal interface for LAN which shares internet > through external interface And Proxy Server. > > LAN users need to define proxy for connecting net and as gateway f/w's > internal IP. > > In LAN I want to define policy for certain IP for mail, web and chat > access. > And rest of the non defined IP will be blocked. > > I had the following rules , in which for mailusers it's working but > anyone from the network > can access to web. > -------------------------------------------------------------------------------------------- > # > ext_if = "rl0" > int_if = "rl1" # 192.168.5.1/32 > proxy_ip= "192.168.50.2" > int_lan = "192.168.5.0/24" > > # > icmp_types = "echoreq" > mail_ports = "{ 25, 110 }" > irc_ports = "{ 1863, 5050 }" > Proto = "{ tcp,udp }" > web_ports = "{ 80, 443 }" > tcp_services= "{ 22, 23 }" > > # > table <webusers> { 192.168.5.2/32, 192.168.5.3/32, 192.168.5.4/32, > !192.168.5.0/25 } > table <mailusers> { 192.168.5.6/32 } > table <im> { 192.168.5.30/32 } > # > table <bogusip> { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, > 169.254.0.0/16, > 172.16.0.0/13, 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23,/ > 224.0.0.0/3, 255.255.255.255/32 } > > # Optimization > # > # Noramlization > scrub all > ## Queueing ## > ############## > > # Translation > no nat on rl0 proto ah from 192.168.5.0/24 to any > nat on rl0 from 192.168.5.0/24 to any -> (rl0) > # Redirection > no rdr on $int_if inet proto tcp from $proxy_ip to any port 80 > rdr on $int_if inet proto tcp from 192.168.5.0/24 to any \ > port 80 -> $proxy_ip port 80 > # Packet Filtering > ## Default Policy > block in all > # Do not allow spoofing of private block addresses (in or out) > block in log quick on $ext_if from <bogsip> to any > block out quick on $ext_if from any to <bogusip> > # > block quick proto udp from any port { 137, 138 } > block quick proto udp to any port { 137, 138 } > > # block IRC ports > block out on $ext_if proto $Proto from <im> to any port $irc_ports > block in on $ext_if proto $Proto from <im> to any port $irc_ports > > #allow ICMP traffic > pass in inet proto icmp all icmp-type $icmp_types keep state > > #allow web browsing from localnet > pass in quick on $int_if proto udp from <webusers> to any port=53 \ > keep state queue webusers > pass in quick on $int_if proto tcp from <webusers> to any port > $web_ports \ > flags S/SA keep state queue webusers > > #allow only mail access > pass out on $int_if proto tcp from <mailusers> to any flags S/SA keep > state \ > queue mail > pass in on $int_if proto tcp from <mailusers> to any port $mail_ports > \ > flags S/SA keep state queue mail > > # SSH Connection > pass in on $int_if inet proto tcp from 192.168.5.1 to any \ > port $tcp_services flags S/SA keep state > pass in on $int_if inet proto tcp from 192.168.5.2 to any \ > port $tcp_services flags S/SA keep state > ------------------------------------------------------------------------------- > > Appreciate if someone could figure out my mistake in the config. > > Thanks > Balen. table <webusers> { 192.168.5.2/32, 192.168.5.3/32, 192.168.5.4/32, !192.168.5.0/25 } !192.168.5.0/25 is redundant, because it is not limiting the first set. If you not in the table your not in the table, no need to make that explicit. Usefull options for !ip are for limiting a group: { 192.168.5.0/25 (group), !192.168.5.2/32, 192.168.5.3/32, 192.168.5.4/32 (exceptions) } You don't have a problem that everyone can reach the internet, because they can't. The proxy however can reach the internet and secondly all internal hosts can reach the proxy, because they can reach the proxy directly (it's on the internal network). Try reaching a https://-page from such a host. My guess will be they can't, because traffic is only redirected for port 80. Hope this helps Niels |
Linear Mode
