Hello,
You may use tags to separate the traffic comming from the computers of your
users and the traffic comming from you own computer.
Hope this helps,
Maxime DERCHE
On Wed, 15 Oct 2008 13:01:05 -0300
"Ricardo Augusto de Souza" <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
>
> I AM confused with some PF rules.
>
> I am trying to allow just some ports to my local users.
>
> I am using block out on $ext_if but I think I would be able to choose
> ports my lan users will access with rule
>
> Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25,
> 110 } keep state .
>
>
>
> It seems to be ok, but I had to add this rule: Pass out on $ext_if from
> $ext_if to any ( without this rule my box cannot connect to the
> internet ). With this rule, All users can connect to any out port.
>
>
>
> Question: What is the right way to have my box at the internet and my
> users can only access that selected ports?
>
>
>
>
>
> Thanks
>
>
>
>
>
>
>
> My pf.conf:
>
>
>
> set loginterface xl1
>
> set skip on lo0
>
> scrub in
>
>
>
> set require-order yes
>
> set state-policy if-bound
>
>
>
> altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def }
>
> queue q_pri priority 7
>
> queue q_def priority 1 priq(default)
>
>
>
>
>
> # interface externa WAN
>
> ext_if="xl1"
>
> # interface interna LAN
>
> int_if="xl0"
>
> # interface MPLS
>
> mpls_if ="bge0"
>
> #interfaces VPn tuneis
>
> vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }"
>
> vpn_net ="{ 10.10.9.0/26 }"
>
> #Default GW
>
> gw="200.162.41.33"
>
>
>
> table <badsites> persist file "/etc/badsites.txt"
>
> winupdate = "{ 65.54.87.0/24 } "
>
>
>
>
>
> ############
>
> # Variaveis
>
> ##########
>
>
>
> #################
>
> #1 - Redirecionamento ambiente de homologocao
>
> ###############
>
> ws_ip = "{ 10.10.100.21 }"
>
> ws_ports = "{ 8101, 8102, 8103 }"
>
>
>
> ####################################
>
> #2- Variaveis uteis
>
> ################################
>
> lan = "{ 10.10.0.0/16 }"
>
> cmt_lan = "{ 10.10.0.0/24 }"
>
> ti_lan = "{ 10.10.20.0/26 }"
>
> call_center_lan = "{ 10.10.60.0/26 }"
>
> rede_mpls = "{ 10.100.0.0/16 }"
>
> ip_admin = "{ 10.10.20.100 }"
>
> msn = "207.46.0.0/16"
>
>
>
> # portas
>
>
>
> portas_saida_tcp = " {25, 80, 110,443 }"
>
> portas_saida_udp = " { 53, 443 }"
>
> portas_entrada_tcp = " { 22,1981, 810} "
>
> portas_entrada_udp = " { 1194 }"
>
> ip_rose = " { 10.10.0.56 } "
>
> porta_rose = " { 2631 } "
>
> oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }"
>
> ips_adm_ext = "{ 189.33.76.0/26 } "
>
>
>
> #teste internet lojas MPLS
>
> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 ->
> $int_if port 3128
>
>
>
> #redirect para servidor NTP
>
> rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123
> -> 10.10.100.254 port 123
>
>
>
> #redirect para os servidores do DTC enviarem email pelo sol
>
> rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25
> -> 10.10.0.2 port 25
>
> nat on $int_if from any to 10.10.0.2 -> $int_if
>
>
>
>
>
> # squid trasparente
>
> rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if
> port 3128
>
>
>
> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 ->
> 10.10.100.13 port 1521
>
> rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 ->
> 10.10.100.14 port 1521
>
> nat on $int_if from any to $oracle_desenv port 1521 -> $int_if
>
>
>
>
>
> # redirecionamento para lan, foi necessario fazer nat tb.
>
> rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
> $ws_ip
>
> nat on $int_if from any to $ws_ip -> $int_if
>
>
>
>
>
> #################
>
> ##### NAT ######
>
> #################
>
>
>
> #nat para dar acesso a internet para a lan
>
> nat on $ext_if from $lan to !($ext_if) -> $ext_if
>
> nat on $mpls_if from $lan to any -> $mpls_if
>
>
>
>
>
> # bloqueia a entrada de tudo e saida de tudo
>
> block in on $ext_if
>
>
>
> #regras de entrada
>
>
>
> # libera entrada de tudo na interface interna
>
> pass in on $int_if proto udp from $lan to $int_if port 53
>
> pass in on $int_if from any to $lan modulate state
>
> pass in on $int_if from $rede_mpls to $lan modulate state
>
>
>
> #liberar acesso rede mpls
>
> pass in quick on $mpls_if from any to any
>
> #pass in quick on $mpls_if from $rede_mpls to any
>
>
>
> # libera a entrada na interface externa
>
> pass in quick on $ext_if proto tcp from any to $ext_if port
> $portas_entrada_tcp keep state
>
> pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
> keep state
>
> pass in quick on $ext_if proto udp from any to $ext_if port
> $portas_entrada_udp keep state
>
> pass in quick on $ext_if proto tcp from any to $int_if port 443 flags
> S/SAFR keep state (max 256)
>
>
>
> #VPN
>
> pass in quick on $ext_if proto tcp from any to $ext_if port = 1723
> modulate state
>
> pass in quick on $ext_if proto gre from any to $ext_if keep state
>
> pass out quick on $ext_if proto gre from $ext_if to any keep state
>
> pass in quick on $vpn_if all
>
> pass out quick on $vpn_if all
>
>
>
> pass in quick on $int_if from $vpn_net to any modulate state
>
> pass in quick on $mpls_if from $vpn_net to any modulate state
>
>
>
>
>
> # regras de saida
>
> antispoof quick for { lo $int_if }
>
> pass out on $int_if from any to $lan keep state
>
> pass out on $mpls_if from $mpls_if to any modulate state
>
> #####
>
> # proibe todo o trafego de saida
>
> block out on $ext_if
>
> #pass out on $ext_if from $ext_if to any modulate state
>
>
>
> pass out quick on $ext_if proto tcp from any to any port
> $portas_saida_tcp modulate state queue (q_def, q_pri)
>
> pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to
> 200.201.174.0/24 port { 80, 2631 } modulate state
>
>
>
> #libera acesso total para os administradores
>
> #pass out on $ext_if from $ip_admin to any modulate state
>
>
>
> pass out on $ext_if proto tcp from $ext_if to any modulate state flags
> S/SA
>
> pass out on $ext_if proto { udp, icmp } all keep state
>
>
>
> # block msn
>
> pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 }
>
> block out quick proto tcp from any to $msn port { 80, 1863 }
>
> #block acesso a estes sites
>
> block out on $ext_if from any to <badsites>
>
> block out on $ext_if from any to $winupdate
>
--
Maxime DERCHE : maxime /at/ mouet-mouet.net | maxime.derche /at/ free.fr
GnuPG public key ID : 0xDEF810D6 (fingerprint : D99F 3827 732C DD5D B472 D6EF
C3FA 81F7 DEF8 10D6)
http://www.mouet-mouet.net/maxime/blog/index.php
