|
Huzeyfe mrb,
yapmis oldugunuz yardimlardan dolayi tesekkur
ederim.vermis oldugunuz bilgiler sayesinde suan firewall calisiyor.cok tesekkur
ederim.
Saygilar....
Veysi Gumus
----- Original Message -----
Sent: Saturday, November 04, 2006 11:00
AM
Subject: Re: [FreeBSD] freebsd pf
Merhaba,
#1.Adsl Uzerinden
Gelisler kismindaki
pass out quick on
$ext_if proto { udp, icmp } from $ext_if to any keep
state
kuralina tcp protokolunu de eklerseniz 1.baglantiya SSH
yapabilirsiniz.
pass out quick on
$ext_if proto { tcp, udp, icmp } from $ext_if to any keep
state
olmali kural..
Ic agdan gelisler icin herhangibir kural
yok. Asagidaki kurali eklersenz problem kalmayacaktir.
pass in quick
log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110 } flags
S/SA keep state
Ek not: Kurallarinizdaki #Localden Firewall
Gelisler kismi islevsiz gozukuyor.
On 11/4/06, Veysi
Gümüs <[EMAIL PROTECTED]>
wrote:
merhaba,
kural tablomu soylediginiz yola gore yeniden
duzenledim.disaridan 2.adsl uzerinden firewall makinaya 25,80,110 portlar
acmistim problem olmadan ulasabiliyorum.fakat 1. adsl uzerinden ssh port
acik olmasina ragmen ulasamiyorum.2.bir sorun ise kural taplosunu
yukledigimde local makinelerden firewall makinesine ulasamiyorum 22 25 110
80 portlari kural tablosunda acmis durumdayim vermis oldugum rahatsizlik tan
dolayida ozur dilerim.kural tablosunu en son halini tekrar asagiya
yazdim
saygilar.....
##################################################
#Tanımlar
##################################################
table
<msn> persist file "/usr/local/etc/fw/msn"
table <kamera>
persist file "/usr/local/etc/fw/kamera"
table <ftp> persist file
"/usr/local/etc/fw/ftp"
table <sigorta> persist file
"/usr/local/etc/fw/sigorta"
table <banka> persist file
"/usr/local/etc/fw/banka"
###################################################
# Set
Optimizations
###################################################
set
limit { frags 30000, states 25000 }
set loginterface $ext_if
scrub in
all
##################################################
#Nat
Kuralları
##################################################
nat on
$ext_if from $lan_net to any -> ($ext_if)
nat on
$ext_if2 from $lan_net to any -> ($ext_if2)
rdr
on $int_if proto tcp from any to any port 80 -> 10.0.0.2 port
8080
##################################################
#Firewall
Kuralları
##################################################
block in
all
block out allpass in on $int_if route-to \
{ ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin \
proto tcp from $lan_net to any flags
S/SA modulate state
pass in on $int_if route-to
\
{ ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin \
proto { udp, icmp } from $lan_net to any
keep state
##################################################
#1.Adsl
Uzerinden
Gelisler
##################################################
pass in quick log on $ext_if proto tcp from any to any port = 22
flags S/SA
pass out quick on $ext_if proto { udp, icmp } from
$ext_if to any keep state
pass out on $ext_if2 route-to
($ext_if $ext_gw1) from $ext_if to any keep state
##################################################
#2.Adsl Uzerinden
Gelisler
##################################################
pass in quick log on $ext_if2 proto tcp from any to any port
{25,80,110} flags S/SA
pass out quick on $ext_if2 proto { udp, icmp }
from $ext_if2 to any keep state
pass out on $ext_if route-to
($ext_if2 $ext_gw2) from $ext_if2 to any keep state
##################################################
#Localden
Firewall Gelisler
##################################################
pass out quick log on $int_if proto tcp from <msn> to any
port = 1863 flags S/SA
pass out quick log on $int_if proto tcp
from <kamera> to any port = 18082 flags S/SA
pass out quick log on
$int_if proto tcp from <sigorta> to any port = 12173 flags S/SA
pass out quick log on $int_if proto tcp from <banka> to
any port = 443 flags S/SA
pass out quick log on $int_if proto tcp
from <ftp> to any port = 21 flags S/SA
pass out quick log on
$int_if proto tcp from any to any port { 22, 25, 80, 110 } flags
S/SA
-----
Original Message -----
Sent:
Friday, November 03, 2006 6:42 PM
Subject:
Re: [FreeBSD] freebsd pf
merhabalar,
yazdiklarim sadece sizin yazdiklariniza
cevap niteliginde oldugu icin konu tam anlasilmamis
olabilir.
Kisaca kural tablonuza baktigimizda ;
disaridan
ext_if2'e gelen smtp isteklerini kabul ediyorsunuz, buna cevap donecek
paketler ici kural tablosuna bakalim;
pass out quick on $ext_if proto { udp, icmp
} from any to any keep state
pass out quick on $ext_if2 proto { udp,
icmp } from any to any keep state
pass in quick log on $ext_if2
proto tcp from any to any port {25,80,110}
flags S/SA
pass out
quick log on $ext_if2 proto tcp from any to any port {25,80,110}
flags
S/SA
pass in quick log on $ext_if proto tcp from any to any port = 22
flags S/SA
pass out on $ext_if route-to ($ext_if2
$ext_gw2)from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if
$ext_gw1) from $ext_if to any
en ustteki kurada quick kelimesi kullandginiz icin alttaki
out kurallarina bakilmiyor ve paketler diger arabirimden cikmaya
calisiyor. Bunu netlestirmek icin tcpdump -i ext_if2(arabirim adi neyse)
-tttnn tcp port 25 komutunu calistirirsiniz ve disaridan bir yerden
baglanti kurmaya calisirsiniz gelen paketleri burada goruyor olmalisiniz.
ayni komutu diger arabirim icin calistirirsaniz paketlerin o arabirimden
cikmaya calistiklarini da goreblirsiniz.
asagida yazdigim kurallar
sadece 2. hattan gelen baglantilarin ayni hattan donmesi icin. Buna gore
diger kurallar yazarsiniz
pass in quick log on $ext_if2 proto tcp
from any to any port {25,80,110}
flags S/SA
pass out quick on
$ext_if2 proto { udp, icmp } from $ext_if2 to any keep state
pass
out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
keep state
On 11/3/06, Veysi
Gümüs <[EMAIL PROTECTED]> wrote:
Huzeyfe bey mrb,
öncelikle yardimlariniz için tesekur
ederim.
freebsd ve pf'ye yeni başladigim için
anlatmaya çalistiginiz olayı biraz daha detaylı anlatmanız mümkünmü
?
kural dosyasinda bahsetmis oldugumuz
kurallar yazili oldugu halde calismiyor
pass out on $ext_if route-to
($ext_if2 $ext_gw2)from $ext_if2 to any
pass out on $ext_if2 route-to
($ext_if $ext_gw1) from $ext_if to any
saygilar...
-----
Original Message -----
Sent:
Friday, November 03, 2006 2:54 PM
Subject:
Re: [FreeBSD] freebsd pf
Merhabalar,
bahsettigim kural ic agdaki IP
adresleri icin gecerli idi...
Disaridan erisilememe problemi
paketlerin diger hattan donmeye calismasindan kaynaklaniyor
olabilir.
Mesela disaridan ext2_if'ye gelen smtp paketleri geriye
donerken default GWden gitmeye calisiyor, eger default GW ext2_if
degilse calismamasi normal. Calismasi icin ext1_if'den gitmeye calisan
cevaplari ext2_if'e yonlendirilmesi lazim.
pass out
quick on $ext_if route-to ($ext_if2 $ext_gw2)from
$ext_if2 port 25 to any keep state
ek olarak
bu kural ailesi istediginiz isleri yapmak icin yeterli degil. Bastan
olusturup adim adim yazmaniz daha iyi olur.
--
Huzeyfe ÖNAL
EnderUnix Core Team
Member
[EMAIL PROTECTED]
http://www.enderunix.org/huzeyfe
+90 505
5260064
---
--
Huzeyfe ÖNAL
EnderUnix Core Team
Member
[EMAIL PROTECTED]
http://www.enderunix.org/huzeyfe
+90 505
5260064
---
--
Huzeyfe ÖNAL
EnderUnix Core Team
Member
[EMAIL PROTECTED]
http://www.enderunix.org/huzeyfe
+90 505 5260064
---
|
