On Sat, 12 Jul 2003 14:08:11 -0600
j knight <[EMAIL PROTECTED]> wrote:
> Hi Matt.
>
>
> Matt Bettinger wrote:
>
> > Also, I would like to find out how to pass out more than just www
> > traffic from the DMZ. Say for instance I wanted to run some other
> > services or use lynx on the dmz box etc etc.
>
> Add a "pass in on $dmz_if" rule for each type of traffic you want to
> permit. In your ruleset below, you're not actually allowing www
> traffic out from the dmz, you're allowing www traffic in and then
> permitting the return traffic back out (at least you would be if you
> were using "keep state" :)).
>
> > nat on $ext_if from {192.168.1.0/24,192.168.3.0/24} to any ->
> > ($ext_if) rdr on $ext_if proto tcp from any to $ext_if port www ->
> > $web_svr port www
> > pass in quick on $ext_if proto tcp from any to $dmz_if port www
>
> I think what you meant here is "... from any to $web_svr ...", not
> $dmz_if. You want to pass traffic destined for the web server, not for
>
> the firewall's DMZ interface address.
>
> > If put in a 'block in all' 'block out all' then my whole lan is
> > blocked from the internet, please help as I am pretty confused at
> > this point. Why a block in all and block out all would prevent
> > everything forom going in or out when I have 'pass out on $ext_if
> > all keep state' after it, is beyond me.
>
> You haven't defined any pass rules for the internal interface.
> Remember, when traffic moves through a router it will enter one
> interface and exit on another. You need to pass traffic on both of
> those interfaces.
>
> You're also going to want to make use of "keep state" on the rules
> that pass traffic to/from your web server. Right now traffic will make
> it to the web server from the outside, but the return traffic will be
> blocked. You'll see this happen once you put back the 'block in|out
> all' rules.
>
>
>
> .joel
>
Hello,
Still having some pretty major issues here. I've been at this for
nearly 15 hours straight today (no joke) and 10 hours yesterday.. or the
day before.. i don't even know anymore.
I'm pretty much at wits end, I'm trying to follow along with some
of these examples however they all seem to be a little more complicated
than what I need and when I change them up I don't achieve what I
intended.
Again ALL I am trying to do is have a DMZ on a third nic that is hosting
a web server:
nic1 dhcp, nic2 192.168.1.0/24 ,nic3 192..168.3.0/24, sun web server on
192.168.3.19
I'd like to be able to pass all traffic from the internal
lan to the dmz box for administration and pass all traffic from the dmz
box out the external nic. I'm at a loss.
For what it's worth here is my latest failure (thanks) :
# Available Interfaces
EXT_IF= "xl0"
INT_IF= "xl1"
DMZ_IF= "rl0"
# Configured Networks
EXT= "xl0"
INT= "192.168.1.0/24"
DMZ= "192.168.3.0/24"
# Firewall IP Address
FW= "(xl0)"
# DMZ Servers IP Addresses
WEB_DMZ= "rl0"
WEB_EXT= "xl0"
WEB_INT= "192.168.3.19"
# Special Networks/Hosts
#RESERVED= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }" RESERVED= "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8
}" TRUSTED= "{ }"
scrub in all
scrub out all
nat on $EXT_IF from {192.168.1.0/24,192.168.3.0/24} to any -> ($EXT_IF)
rdr on $EXT_IF proto tcp from any to $EXT_IF -> 192.168.3.19/32
pass in on xl1 from $INT to 192.168.3.19/32 keep state
pass out quick on rl0 from $INT to 192.168.3.19/32 keep state
block in on rl0 from 192.168.3.19/32 to $INT
pass in quick on $EXT_IF proto tcp from any to $DMZ_IF port www
pass in on $DMZ_IF from any to any
pass out quick on $EXT_IF inet proto tcp from 192.168.3.19/32 to any
keep state pass out quick on $EXT_IF inet proto udp from 192.168.3.19/32
to any keep state
pass in on lo0 all
pass out on lo0 all
pass in on $INT_IF all
pass out quick on $INT_IF all
# Allow outgoing DMZ traffic
pass in quick on $DMZ_IF inet from $DMZ to !$INT keep state
block out quick on $EXT_IF inet from !$EXT to any
block in quick on $EXT_IF inet from $RESERVED to any
pass out on $EXT_IF inet proto icmp from $EXT to any keep state
pass in on $EXT_IF inet proto icmp from any to $DMZ keep state
pass out on $DMZ_IF inet proto icmp from any to $DMZ keep state
pass out on $EXT_IF inet proto udp from $EXT to any keep state
# Remote Management
pass in on $EXT_IF inet proto tcp from any to $FW port 22 flags S/SA
keep state
# Enable Internet Access
pass out on $EXT_IF inet proto tcp from $EXT to any flags S/SA keep
state
#Enable DMZ WEB Server Access
pass in on $EXT_IF inet proto tcp from any to any port {80} flags S/S
keep state
pass out on $DMZ_IF inet proto tcp from any to any port {80}
flags S/S keep state
pass in on $EXT_IF inet proto tcp from any to any keep state
pass out quick on $DMZ_IF inet proto tcp from any to any keep state
----------------
pfctl -s rules
imelda# pfctl -s rules
scrub in all fragment reassemble
scrub out all fragment reassemble
pass in on xl1 inet from 192.168.1.0/24 to 192.168.3.19 keep state
pass out quick on rl0 inet from 192.168.1.0/24 to 192.168.3.19 keep
state block drop in on rl0 inet from 192.168.3.19 to 192.168.1.0/24
pass in quick on xl0 inet proto tcp from any to 192.168.3.1 port = www
pass in on rl0 all
pass out quick on xl0 inet proto tcp from 192.168.3.19 to any keep state
pass out quick on xl0 inet proto udp from 192.168.3.19 to any keep state
pass in on lo0 all
pass out on lo0 all
pass in on xl1 all
pass out quick on xl1 all
pass in quick on rl0 inet from 192.168.3.0/24 to ! 192.168.1.0/24 keep
state pass out on xl0 inet proto icmp from 67.10.132.244 to any keep
state pass in on xl0 inet proto icmp from any to 192.168.3.0/24 keep
state pass out on rl0 inet proto icmp from any to 192.168.3.0/24 keep
state pass out on xl0 inet proto udp from 67.10.132.244 to any keep
state pass in on xl0 inet proto tcp from any to (xl0) port = ssh flags
S/SA keep state pass out on xl0 inet proto tcp from 67.10.132.244 to any
flags S/SA keep state pass in on xl0 inet proto tcp all keep state
pass out quick on rl0 inet proto tcp all keep state
