Re: [FreeBSD] FW: pf prob.

Mon, 27 Nov 2006 06:18:12 -0800 

merhabalar,

PF'de NAT kurallarinin isleyis sirasi yukaridan asagiya dogrudur. Dolayisi
ile no nat kuralini daha one yazmamiz gerekir.


On 11/27/06, Muammer Dogan <[EMAIL PROTECTED]> wrote:


 Merhaba



          Merhaba asagidaki gibi bir yapiya sahibim ipfw kullaniyorum ama
pf'e gecmek istiyorum. Localde bulunan serverlarim LL uzerinden farkli
iplerle natlanarak internete cikiyor. Asagidaki kurallar ile pf'i aktif
ettigimde tum makinalar sorunsuz internete cikiyor. Fakat server gurubundaki
makinalar dogru olarak route edilmesine ragmen natlanarak route edildiginden
sorunlar cikiyor. "no nat" satirinda yada kurallarda bir yanlislik yapiyor
olabilirmiyim. Boyle bir system icin sizinde tavsiyelerinizi almak isterim.
Yardimlariniz icin simdiden tesekkurler,





Iyi calismalar

Muammer







10.11.1.3 Adsl ----------|

                                |          10.11.1.5

                                |----------------| FreeBSD
|------------------ LAN 192.168.0.0/24

                                |                            192.168.0.5

10.11.1.4 LL -------------|











###################################################



ext_if="bge0"

int_if="vr0"

ext_ip="10.11.1.5"

int_ip="192.168.0.5"

lan_net="192.168.0.0/24"



LL="10.11.1.4"

UsR="10.11.1.3"



SERVERS="{192.168.0.11, 192.168.0.30, 192.168.0.31, 192.168.0.33,
192.168.0.114/28, 192.168.0.137, 192.168.0.140, 192.168.0.141}"





set limit { frags 30000, states 25000 }

set loginterface $ext_if

scrub in all



nat on $ext_if from $lan_net to any -> ($ext_if)

no nat on $ext_if from $SERVERS to any

##################################


pass in on $int_if from $lan_net to any

pass out on $int_if from any to $lan_net



pass in quick on $int_if from $lan_net to $int_if



pass in on $int_if route-to ($ext_if $LL) proto tcp from $SERVERS to any
flags S/SA modulate state

pass in on $int_if route-to ($ext_if $LL) proto { udp, icmp} from $SERVERS
to any keep state



############################

pass in on $ext_if all

pass out on $ext_if all

#block in on $ext_if all



pass out on $ext_if proto tcp from any to any flags S/SA modulate state

pass out on $ext_if proto { udp, icmp } from any to any keep state



pass in on $ext_if proto tcp from any to $ext_ip port {22, 80, 1723} flags
S/SA modulate state  #ssh, www, vpn

pass in on $ext_if proto icmp from any to $ext_ip keep state

pass in on $ext_if proto tcp from any to 192.168.0.141 port {25, 110, 80}
flags S/SA modulate state









--
Huzeyfe ÖNAL
EnderUnix Core Team Member
[EMAIL PROTECTED]
http://www.enderunix.org/huzeyfe
+90 555 255 4593

Ag guvenligi listesine uye oldunuz mu?
http://www.huzeyfe.net/netsec.html
---

Cevap