Re: [FreeBSD] freebsd pf

[Huzeyfe Onal]

Merhaba,#1.Adsl Uzerinden 
Gelisler kismindaki pass out quick 
on $ext_if proto { udp, icmp } from $ext_if to any keep statekuralina tcp protokolunu de eklerseniz 1.baglantiya SSH yapabilirsiniz.pass out quick 
on $ext_if proto { tcp, udp, icmp } from $ext_if to any keep stateolmali kural..Ic agdan gelisler icin herhangibir kural yok. Asagidaki kurali eklersenz problem kalmayacaktir.pass in quick log on $int_if proto 
tcp from $lan_net to any port { 22, 25, 80, 110 } flags S/SA keep stateEk not: Kurallarinizdaki #Localden Firewall 
Gelisler kismi islevsiz gozukuyor. On 11/4/06, Veysi Gümüs [EMAIL PROTECTED] wrote:







merhaba,

kural tablomu soylediginiz yola gore yeniden 
duzenledim.disaridan 2.adsl uzerinden firewall makinaya 25,80,110 portlar 
acmistim problem olmadan ulasabiliyorum.fakat 1. adsl uzerinden ssh port acik 
olmasina ragmen ulasamiyorum.2.bir sorun ise kural taplosunu yukledigimde local 
makinelerden firewall makinesine ulasamiyorum 22 25 110 80 portlari kural 
tablosunda acmis durumdayim vermis oldugum rahatsizlik tan dolayida ozur 
dilerim.kural tablosunu en son halini tekrar asagiya yazdim

saygilar.


 
Macros###lan_net = { 
10.0.0.0/24, 10.0.2.0/24
, 10.0.3.0/24, 
10.0.4.0/24 }int_if = 
bge0ext_if = vr0ext_if2 = vr1ext_gw1 = 
192.168.100.213ext_gw2 = 
192.168.110.25

###Tanımlar##table 
msn persist file /usr/local/etc/fw/msntable kamera persist 
file /usr/local/etc/fw/kameratable ftp persist file 
/usr/local/etc/fw/ftptable sigorta persist file 
/usr/local/etc/fw/sigortatable banka persist file 
/usr/local/etc/fw/banka

 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub in 
all

###Nat 
Kuralları##nat on 
$ext_if from $lan_net to any - ($ext_if)nat on $ext_if2 from $lan_net to 
any - ($ext_if2)rdr on $int_if proto tcp from any to any port 80 - 
10.0.0.2 port 8080

###Firewall 
Kuralları##block in 
allblock out allpass in on $int_if route-to \ { 
($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ 
proto tcp from $lan_net to any flags S/SA modulate state

pass in on $int_if route-to \ 
{ ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ 
proto { udp, icmp } from $lan_net to any keep state

###1.Adsl Uzerinden 
Gelisler##pass in quick 
log on $ext_if proto tcp from any to any port = 22 flags S/SApass out quick 
on $ext_if proto { udp, icmp } from $ext_if to any keep statepass out 
on $ext_if2 route-to ($ext_if $ext_gw1) from $ext_if to any keep 
state


###2.Adsl Uzerinden 
Gelisler##pass in quick 
log on $ext_if2 proto tcp from any to any port {25,80,110} flags S/SApass 
out quick on $ext_if2 proto { udp, icmp } from $ext_if2 to any keep 
statepass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to 
any keep state

###Localden Firewall 
Gelisler##pass out quick 
log on $int_if proto tcp from msn to any port = 1863 flags S/SApass 
out quick log on $int_if proto tcp from kamera to any port = 18082 flags 
S/SApass out quick log on $int_if proto tcp from sigorta to any port 
= 12173 flags S/SApass out quick log on $int_if proto tcp from banka 
to any port = 443 flags S/SApass out quick log on $int_if proto tcp from 
ftp to any port = 21 flags S/SApass out quick log on $int_if proto 
tcp from any to any port { 22, 25, 80, 110 } flags S/SA

  - Original Message - 
  
From: 
  Huzeyfe 
  Onal 
  To: 
freebsd@lists.enderunix.org 
  
  Sent: Friday, November 03, 2006 6:42 
  PM
  Subject: Re: [FreeBSD] freebsd pf

  merhabalar,yazdiklarim sadece sizin yazdiklariniza cevap 
  niteliginde oldugu icin konu tam anlasilmamis olabilir.Kisaca kural 
  tablonuza baktigimizda ;disaridan ext_if2'e gelen smtp isteklerini kabul 
  ediyorsunuz, buna cevap donecek paketler ici kural tablosuna bakalim; 
  pass out quick on $ext_if proto { udp, icmp } 
  from any to any keep statepass out quick on $ext_if2 proto { udp, icmp } 
  from any to any keep statepass in quick log on $ext_if2 proto tcp from 
  any to any port {25,80,110} flags S/SApass out quick log on $ext_if2 
  proto tcp from any to any port {25,80,110}flags S/SApass in quick log 
  on $ext_if proto tcp from any to any port = 22 flags S/SApass out on 
  $ext_if route-to ($ext_if2 $ext_gw2)from $ext_if2 to any pass 

Re: [FreeBSD] freebsd pf

[Veysi Gümüs]

Huzeyfe mrb,
yapmis oldugunuz yardimlardan dolayi tesekkur 
ederim.vermis oldugunuz bilgiler sayesinde suan firewall calisiyor.cok tesekkur 
ederim.

Saygilar
Veysi Gumus


  - Original Message - 
  From: 
  Huzeyfe 
  Onal 
  To: freebsd@lists.enderunix.org 
  
  Sent: Saturday, November 04, 2006 11:00 
  AM
  Subject: Re: [FreeBSD] freebsd pf
  Merhaba,#1.Adsl Uzerinden 
  Gelisler kismindaki pass out quick on 
  $ext_if proto { udp, icmp } from $ext_if to any keep 
  statekuralina tcp protokolunu de eklerseniz 1.baglantiya SSH 
  yapabilirsiniz.pass out quick on 
  $ext_if proto { tcp, udp, icmp } from $ext_if to any keep 
  stateolmali kural..Ic agdan gelisler icin herhangibir kural 
  yok. Asagidaki kurali eklersenz problem kalmayacaktir.pass in quick 
  log on $int_if proto tcp from $lan_net to any port { 22, 25, 80, 110 } flags 
  S/SA keep stateEk not: Kurallarinizdaki #Localden Firewall 
  Gelisler kismi islevsiz gozukuyor. 
  On 11/4/06, Veysi 
  Gümüs [EMAIL PROTECTED] 
  wrote: 
  

merhaba,

kural tablomu soylediginiz yola gore yeniden 
duzenledim.disaridan 2.adsl uzerinden firewall makinaya 25,80,110 portlar 
acmistim problem olmadan ulasabiliyorum.fakat 1. adsl uzerinden ssh port 
acik olmasina ragmen ulasamiyorum.2.bir sorun ise kural taplosunu 
yukledigimde local makinelerden firewall makinesine ulasamiyorum 22 25 110 
80 portlari kural tablosunda acmis durumdayim vermis oldugum rahatsizlik tan 
dolayida ozur dilerim.kural tablosunu en son halini tekrar asagiya 
yazdim

saygilar.


 
Macros###lan_net = 
"{ 10.0.0.0/24, 10.0.2.0/24 , 10.0.3.0/24, 10.0.4.0/24 }"int_if = "bge0"ext_if = "vr0"ext_if2 = "vr1"ext_gw1 
= "192.168.100.213"ext_gw2 
= " 
192.168.110.25"

###Tanımlar##table 
msn persist file "/usr/local/etc/fw/msn"table kamera 
persist file "/usr/local/etc/fw/kamera"table ftp persist file 
"/usr/local/etc/fw/ftp"table sigorta persist file 
"/usr/local/etc/fw/sigorta"table banka persist file 
"/usr/local/etc/fw/banka"

 Set 
Optimizations###set 
limit { frags 3, states 25000 }set loginterface $ext_ifscrub in 
all

###Nat 
Kuralları##nat on 
$ext_if from $lan_net to any - ($ext_if)nat on 
$ext_if2 from $lan_net to any - ($ext_if2)rdr 
on $int_if proto tcp from any to any port 80 - 10.0.0.2 port 
8080

###Firewall 
Kuralları##block in 
allblock out allpass in on $int_if route-to \ { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } 
round-robin \ proto tcp from $lan_net to any flags 
S/SA modulate state

pass in on $int_if route-to 
\ { ($ext_if $ext_gw1), ($ext_if2 $ext_gw2) } 
round-robin \ proto { udp, icmp } from $lan_net to any 
keep state

###1.Adsl 
Uzerinden 
Gelisler##pass in quick log on $ext_if proto tcp from any to any port = 22 
flags S/SApass out quick on $ext_if proto { udp, icmp } from 
$ext_if to any keep statepass out on $ext_if2 route-to 
($ext_if $ext_gw1) from $ext_if to any keep state


###2.Adsl Uzerinden 
Gelisler##pass in quick log on $ext_if2 proto tcp from any to any port 
{25,80,110} flags S/SApass out quick on $ext_if2 proto { udp, icmp } 
from $ext_if2 to any keep statepass out on $ext_if route-to 
($ext_if2 $ext_gw2) from $ext_if2 to any keep state

###Localden 
Firewall Gelisler##pass out quick log on $int_if proto tcp from msn to any 
port = 1863 flags S/SApass out quick log on $int_if proto tcp 
from kamera to any port = 18082 flags S/SApass out quick log on 
$int_if proto tcp from sigorta to any port = 12173 flags S/SApass out quick log on $int_if proto tcp from banka to 
any port = 443 flags S/SApass out quick log on $int_if proto tcp 
from ftp to any port = 21 flags S/SApass out quick log on 
$int_if proto tcp from any to any port { 22, 25, 80, 110 } flags 
S/SA

  - 
  Original Message - 
  From: 
  Huzeyfe Onal 
  To: 
  freebsd@lists.enderunix.org 
  
  Sent: 
  Friday, November 03, 2006 6:42 PM
  Subject: 
  Re: [FreeBSD]