SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 04:51 AM
| ||||
| ||||
 PF DMZ and Webserver question Hello, I can comment out the general block rule and my webserver is accessible from the outside. But when I active these general block rules, it is unreachable Any ideas on what I'm doing wrong is most appreciated..... Here's the file: # $OpenBSD: pf.conf 28Oct03 # macros ext_if = "dc0" int_if = "ne3" dmz_if = "xl0" webserver ="192.168.3.16/32" mailserver ="192.168.3.18/32" dnsserver ="192.168.3.19/32" # did not allow ftp from subnet tcp_services = "{ 20, 21, 113 }" # allow ssh and authentication tcp_services = "{ 22, 80, 113 } " # ping rules icmp_types = "echoreq" #icmp_types = 8 priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" int_net = "{ 192.168.2.0/24 }" dmz_net = "{ 192.168.3.0/24 }" set block-policy return set loginterface $ext_if # scrub scrub in all scrub in on $dmz_if all no-df fragment reassemble scrub in on $ext_if all no-df fragment reassemble scrub in on $int_if all no-df fragment reassemble scrub out on $ext_if all no-df random-id fragment reassemble # nat/rdr # this rule provides network address translation from internal net to internet nat on $ext_if from $int_if:network to any -> ($ext_if) # This rule allows dmz servers to retreive packages # from the outside internet #nat on $ext_if from $dmz_if:network to any -> ($ext_if) # This rule directs external internet web traffic to webserver on DMZ # ???currently does not work rdr on $ext_if proto tcp from any to $ext_if port 80 -> $webserver port 80 rdr on $ext_if proto tcp from any to $ext_if port 443 -> $webserver port 443 # This rule allow the intenal network access to webserver port https rdr on $int_if proto tcp from $int_if to $ext_if port 80 -> $webserver port 80 rdr on $int_if proto tcp from $int_if to $ext_if port 443 -> $webserver port 443 # This rule directs external internet mail traffic to mailserver on DMZ rdr on $ext_if proto tcp from any to $ext_if port 25 -> $mailserver port 25 # This rule allow the intenal network access to mailserver rdr on $int_if proto tcp from $int_if to $ext_if port 25 -> $mailserver port 25 # This rule directs external internet dns traffic to dnsserver on DMZ rdr on $ext_if proto tcp from any to $ext_if port 53 -> $dnsserver port 53 rdr on $ext_if proto tcp from any to $ext_if port 53 -> $dnsserver port 53 # this rule keeps nat from messing up traffic between int_net and dmz servers #no nat on $int_if proto tcp from $int_if to $dmz_if # filter rules block in log all block out log all block in inet6 all block out inet6 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets # pass localhost pass out quick on lo0 all pass in quick on lo0 all # ??? This rule's variations do not allow ssh to reach dmz servers #pass in on $ext_if inet proto tcp from any to ($ext_if) port \ # $tcp_services flags S/SAFR keep state # This allows pings to answer outside of the firewall pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state # ??? currently does not allow outside access to web server ??? pass in quick on $ext_if proto tcp from any to $webserver \ port = 80 flags S/SA keep state But when I disable these rules, it works? # block in log all # block out log all      |
|
02-16-2008, 04:51 AM
| |||
| |||
| Re: PF DMZ and Webserver question On Mon, 03 Nov 2003 17:57:36 GMT, James wrote: > Any ideas on what I'm doing wrong is > most appreciated..... You have no rule that would allow the redirected connections to pass out on $dmz_if (xl0), and with a default block policy, that means the connections get blocked. > pass out on $int_if from any to > $int_if:network keep state This allows external and DMZ hosts to open connections to the internal network, maybe you want $dmz_if instead of (or in addition to) $int_if here? Daniel |
|
02-16-2008, 04:51 AM
| |||
| |||
| Re: PF DMZ and Webserver question Hello , Here's what I added, and it works, but, I not so sure how secure it is? pass in on $dmz_if from $ext_if:network to any keep state pass out on $dmz_if from any to $dmz_if:network keep state Doesn't this create a security hole? James Daniel Hartmeier wrote: > On Mon, 03 Nov 2003 17:57:36 GMT, James wrote: > > >>Any ideas on what I'm doing wrong is >>most appreciated..... > > > You have no rule that would allow the redirected connections to > pass out on $dmz_if (xl0), and with a default block policy, that > means the connections get blocked. > > >>pass out on $int_if from any to >>$int_if:network keep state > > > This allows external and DMZ hosts to open connections to the > internal network, maybe you want $dmz_if instead of (or in > addition to) $int_if here? > > Daniel |
|
02-16-2008, 04:52 AM
| ||||
| ||||
| Re: PF DMZ and Webserver question On Mon, 03 Nov 2003 23:00:48 GMT, James wrote: > pass in on $dmz_if from $ext_if:network > to any keep state This allows the dmz to connect out, potentially to the lan or external hosts. The web server itself probably doesn't need that. > pass out on $dmz_if from any to > $dmz_if:network keep state You can restrict this to the web server destination address and destination port 80, if those are the only connection that should pass into the dmz. Or allow source $int_if:network more broadly into the dmz, but restrict external source addresses, etc. Daniel |
Linear Mode
