Is is possible filter outgoing packets in $ext_if even doing NAT? I mean, after nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all packets from 10.10.0.0/16 will be translated to $ext_if. I wish I could filter 10.10.0.0/16 packets in $ext_if.
Is is possible? Thanks -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Ricardo Augusto de Souza Enviada em: quarta-feira, 15 de outubro de 2008 13:01 Para: [email protected] Assunto: Filtering outgoing connections in pf Hi, I AM confused with some PF rules. I am trying to allow just some ports to my local users. I am using block out on $ext_if but I think I would be able to choose ports my lan users will access with rule Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25, 110 } keep state . It seems to be ok, but I had to add this rule: Pass out on $ext_if from $ext_if to any ( without this rule my box cannot connect to the internet ). With this rule, All users can connect to any out port. Question: What is the right way to have my box at the internet and my users can only access that selected ports? Thanks My pf.conf: set loginterface xl1 set skip on lo0 scrub in set require-order yes set state-policy if-bound altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) # interface externa WAN ext_if="xl1" # interface interna LAN int_if="xl0" # interface MPLS mpls_if ="bge0" #interfaces VPn tuneis vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }" vpn_net ="{ 10.10.9.0/26 }" #Default GW gw="200.162.41.33" table <badsites> persist file "/etc/badsites.txt" winupdate = "{ 65.54.87.0/24 } " ############ # Variaveis ########## ################# #1 - Redirecionamento ambiente de homologocao ############### ws_ip = "{ 10.10.100.21 }" ws_ports = "{ 8101, 8102, 8103 }" #################################### #2- Variaveis uteis ################################ lan = "{ 10.10.0.0/16 }" cmt_lan = "{ 10.10.0.0/24 }" ti_lan = "{ 10.10.20.0/26 }" call_center_lan = "{ 10.10.60.0/26 }" rede_mpls = "{ 10.100.0.0/16 }" ip_admin = "{ 10.10.20.100 }" msn = "207.46.0.0/16" # portas portas_saida_tcp = " {25, 80, 110,443 }" portas_saida_udp = " { 53, 443 }" portas_entrada_tcp = " { 22,1981, 810} " portas_entrada_udp = " { 1194 }" ip_rose = " { 10.10.0.56 } " porta_rose = " { 2631 } " oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }" ips_adm_ext = "{ 189.33.76.0/26 } " #teste internet lojas MPLS rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 -> $int_if port 3128 #redirect para servidor NTP rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123 -> 10.10.100.254 port 123 #redirect para os servidores do DTC enviarem email pelo sol rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25 -> 10.10.0.2 port 25 nat on $int_if from any to 10.10.0.2 -> $int_if # squid trasparente rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if port 3128 rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 -> 10.10.100.13 port 1521 rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 -> 10.10.100.14 port 1521 nat on $int_if from any to $oracle_desenv port 1521 -> $int_if # redirecionamento para lan, foi necessario fazer nat tb. rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports -> $ws_ip nat on $int_if from any to $ws_ip -> $int_if ################# ##### NAT ###### ################# #nat para dar acesso a internet para a lan nat on $ext_if from $lan to !($ext_if) -> $ext_if nat on $mpls_if from $lan to any -> $mpls_if # bloqueia a entrada de tudo e saida de tudo block in on $ext_if #regras de entrada # libera entrada de tudo na interface interna pass in on $int_if proto udp from $lan to $int_if port 53 pass in on $int_if from any to $lan modulate state pass in on $int_if from $rede_mpls to $lan modulate state #liberar acesso rede mpls pass in quick on $mpls_if from any to any #pass in quick on $mpls_if from $rede_mpls to any # libera a entrada na interface externa pass in quick on $ext_if proto tcp from any to $ext_if port $portas_entrada_tcp keep state pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep state pass in quick on $ext_if proto udp from any to $ext_if port $portas_entrada_udp keep state pass in quick on $ext_if proto tcp from any to $int_if port 443 flags S/SAFR keep state (max 256) #VPN pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state pass in quick on $ext_if proto gre from any to $ext_if keep state pass out quick on $ext_if proto gre from $ext_if to any keep state pass in quick on $vpn_if all pass out quick on $vpn_if all pass in quick on $int_if from $vpn_net to any modulate state pass in quick on $mpls_if from $vpn_net to any modulate state # regras de saida antispoof quick for { lo $int_if } pass out on $int_if from any to $lan keep state pass out on $mpls_if from $mpls_if to any modulate state ##### # proibe todo o trafego de saida block out on $ext_if #pass out on $ext_if from $ext_if to any modulate state pass out quick on $ext_if proto tcp from any to any port $portas_saida_tcp modulate state queue (q_def, q_pri) pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to 200.201.174.0/24 port { 80, 2631 } modulate state #libera acesso total para os administradores #pass out on $ext_if from $ip_admin to any modulate state pass out on $ext_if proto tcp from $ext_if to any modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state # block msn pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 } block out quick proto tcp from any to $msn port { 80, 1863 } #block acesso a estes sites block out on $ext_if from any to <badsites> block out on $ext_if from any to $winupdate
