SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 04:50 AM
| ||||
| ||||
 pf and a basic DMZ Hello, Hopefully, the pf.conf file I have attached will set up an internal network, a dmz, and allow a mail server, dns server and web server to all operate securely over one static ip address on ne3 (ext_if). If any one has ideas on a: how to make this work b: how to make it simpler c: how to make it more secure then please tell me what to do, as I've read the docs and man pages, but cannot find many complete examples for a dmz, and internal network with only one static IP (external to internet). thanks, James # $OpenBSD: pf.conf 28Oct03 # macros ext_if = "ne3" int_if = "ne4" dmz_if = "ne5" webserver = 192.168.10.40 mailserver = 192.168.10.41 dnsserver = 192.168.10.42 tcp_services = "{ 22, 113 } " # did not allow ftp from subnet tcp_services = "{ 20, 21, 113 }" #tcp_services = "{ 20, 21, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" int_net = "{ 192.168.0.0/24 }" dmz_net = "{ 192.168.40.0/24 }" set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr # this rule provides network address translation from internal net to internet nat on $ext_if from $int_if:network to any -> ($ext_if) # This rule directs external internet web traffic to webserver on DMZ rdr on $ext_if proto tcp from any to $ext_if port 80 -> $webserver port 80 # This rule allow the intenal network access to webserver rdr on $int_if proto tcp from $int_if to $ext_if port 80 -> $webserver port 80 # This rule directs external internet mail traffic to mailserver on DMZ rdr on $ext_if proto tcp from any to $ext_if port 25 -> $mailserver port 25 # This rule allow the intenal network access to mailserver rdr on $int_if proto tcp from $int_if to $ext_if port 25 -> $mailserver port 25 # This rule directs external internet dns traffic to dnsserver on DMZ rdr on $ext_if proto tcp from any to $ext_if port 53 -> $dnsserver port 53 # This rule allow the intenal network access to dns server rdr on $int_if proto tcp from $int_if to $ext_if port 53 -> $dnsserver port 53 # this rule keeps nat from messing up traffic between int_net and dmz servers no nat on $int_if proto tcp from $int_if to $int_net # this rule should only allow ssh from 1.2.3.4 to the webserver, pass in on $ext_if proto tcp from 1.2.3.4 to $webserver port 22 keep state # filter rules block log all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state      |
|
02-16-2008, 04:50 AM
| ||||
| ||||
| Re: pf and a basic DMZ James wrote: > Hello, > > Hopefully, the pf.conf file I have > attached will set up an internal > network, a dmz, and allow a mail server, > dns server and web server to all > operate securely over one static ip > address on ne3 (ext_if). If any one has > ideas on > a: how to make this work > b: how to make it simpler > c: how to make it more secure > > then please tell me what to do, as I've > read the docs and man pages, but cannot > find many complete examples for a dmz, > and internal network with only one > static IP (external to internet). > > thanks, > James > Then you should better. Even on my website there is a close to real example... EJ -- Remove the obvious part (including the dot) for my email address. http://www.vanwesten.net for examples of ipf and pf. |
Linear Mode
