SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 04:15 AM
| ||||
| ||||
 Re: redirect telnet and ssh Hi Steve, You need to know, that the packets are first translated, then filtered. Steve Conrad wrote: >> #macros >> int_if = "fxp0" >> ext_if = "fxp1" >> dmz_if = "fxp2" >> >> tcp_services = "{ 22, 113 }" >> icmp_types = "{ 8, 11 }" >> >> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, >> 10.0.0.0/8 }" >> >> #options >> set block-policy return >> set loginterface $ext_if >> >> #scrub >> scrub in all >> >> # nat/rdr >> nat on $ext_if from $int_if:network to any -> $ext_if >> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ >> port 8021 >> rdr on $ext_if from any to $dmz_if port 22 -> port 22 >> rdr on $int_if from any to $dmz_if port 22 -> port 22 >> >> #filter rules >> block all >> >> pass quick on lo0 all >> >> block drop in quick on $ext_if from $priv_nets to any >> block drop out quick on $ext_if from any to $priv_nets This rule blocks all traffic redirected to your DMZ. >> pass in on $ext_if inet proto tcp from any to $ext_if \ >> port $tcp_services flags S/SA keep state This rule does not even match the problematic packets. >> pass in inet proto icmp all icmp-type $icmp_types keep state >> >> pass in on $int_if from $int_if:network to any keep state >> pass out on $int_if from any to $int_if:network keep state >> #above rule would allow firewall to talk to internal network, ie >> ping etc >> >> pass out on $ext_if proto tcp all modulate state flags S/SA >> pass out on $ext_if proto { udp, icmp } all keep state > > This is basically the example from OBSD.org > > Can someone tell me where I am going wrong? You are blocking the incoming translated packets, because they are directed to internal subnets. Additionally you do not even have a rule in your ruleset, that would allow traffic to your DMZ. HTH Konfu      |
Linear Mode
