Rainer Duffner wrote:
Scott Ullrich wrote:
Yeah, I would give that a shot.
OK, I disabled the DNS-checks in sshd_config and I can now login and
paste you the rules.debug:
# cat rules.debug |egrep -v ^$
# System Aliases
lan = "{ ste0 }"
wan = "{ ste3 }"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
OPT1VLAN102 = "{ vlan0 }"
OPT2VLAN103 = "{ vlan1 }"
OPT3 = "{ vlan2 }"
OPT4 = "{ vlan3 }"
# User Aliases
resolvers = "{ resolver-ip1 resolver-ip2 }"
set loginterface ste3
set loginterface ste0
set loginterface vlan0
set loginterface vlan1
set loginterface vlan2
set loginterface vlan3
set optimization normal
set limit states 100000
scrub on ste3 all
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
binat on ste3 from 10.10.182.128/28 to any -> my-real-ip-space/28
binat on ste3 from 10.10.183.128/28 to any -> my-real-ip-space2/28
nat on ste3 from 10.10.179.0/24 to any -> (ste3)
nat on ste3 from 10.10.183.128/28 to any -> (ste3)
#SSH Lockout Table
table <sshlockout> persist
# spam table
table <spamd> persist
# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP proxy
rdr-anchor "pftpx/*"
rdr on ste0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on vlan0 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
rdr on vlan1 proto tcp from any to any port 21 -> 127.0.0.1 port 8023
rdr on vlan2 proto tcp from any to any port 21 -> 127.0.0.1 port 8024
rdr on vlan3 proto tcp from any to any port 21 -> 127.0.0.1 port 8025
# NAT Inbound Redirects
rdr on ste3 proto tcp from any to any port { 12011 } -> 10.10.179.1 port 443
# Reflection redirects
rdr on ste0 proto tcp from any to any port { 12011 } -> 127.0.0.1 port 19000
rdr on vlan0 proto tcp from any to any port { 12011 } -> 127.0.0.1 port
19001
rdr on vlan1 proto tcp from any to any port { 12011 } -> 127.0.0.1 port
19002
rdr on vlan2 proto tcp from any to any port { 12011 } -> 127.0.0.1 port
19003
rdr on vlan3 proto tcp from any to any port { 12011 } -> 127.0.0.1 port
19004
anchor "firewallrules"
# loopback
anchor "loopback"
pass in quick on lo0 all label "pass loopback"
pass out quick on lo0 all label "pass loopback"
# package manager early specific hook
anchor "packageearly"
# carp
anchor "carp"
# enable ftp-proxy
anchor "ftpproxy"
anchor "pftpx/*"
pass in quick on ste3 inet proto tcp from port 20 to (ste3) port > 49000
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
connection"
# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on ste0 proto udp from any port = 68 to 255.255.255.255
port = 67 label "allow access to DHCP server on LAN"
pass in quick on ste0 proto udp from any port = 68 to 10.10.179.1 port =
67 label "allow access to DHCP server on LAN"
pass out quick on ste0 proto udp from 10.10.179.1 port = 67 to any port
= 68 label "allow access to DHCP server on LAN"
block in log quick on ste3 from 10.10.182.128/28 to any label "interface
spoof check"
block in log quick on ste3 from 10.10.183.128/28 to any label "interface
spoof check"
# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
anchor "wandhcp"
pass out quick on ste3 proto udp from any port = 68 to any port = 67
label "allow dhcp client out wan"
block in log quick on ste3 proto udp from any port = 67 to
10.10.179.0/24 port = 68 label "allow dhcp client out wan"
pass in quick on ste3 proto udp from any port = 67 to any port = 68
label "allow dhcp client out wan"
# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
antispoof for ste0
antispoof for vlan0
antispoof for vlan1
# block anything from private networks on WAN interface
anchor "spoofing"
block in log quick on ste3 from 10.0.0.0/8 to any label "block private
networks from wan block 10/8"
block in log quick on ste3 from 127.0.0.0/8 to any label "block private
networks from wan block 127/8"
block in log quick on ste3 from 172.16.0.0/12 to any label "block
private networks from wan block 172.16/12"
block in log quick on ste3 from 192.168.0.0/16 to any label "block
private networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>
# let out anything from the firewall host itself and decrypted IPsec traffic
# pass out quick on ste3 all keep state label "let out anything from
firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on ste3 all keep state label "let out anything from
firewall host itself"
pass out quick on ste0 all keep state label "let out anything from
firewall host itself"
pass out quick on vlan0 all keep state label "let out anything from
firewall host itself"
pass out quick on vlan1 all keep state label "let out anything from
firewall host itself"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vlan0 all keep state label "let out anything from
firewall host itself"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vlan1 all keep state label "let out anything from
firewall host itself"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick from 10.10.179.0/24 to 10.10.179.1 keep state label
"anti-lockout web rule"
# SSH lockout
block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"
# User-defined rules follow
pass in quick on $wan proto tcp from any to { 10.10.179.1 } port = 443
flags S/SA keep state label "USER_RULE: NAT WebGUI access from outside"
pass in log quick on $wan proto tcp from any to { 10.10.182.130 } port
= 80 flags S/SA keep state label "USER_RULE: NAT access from outsideto
VLAN102"
pass in log quick on $wan proto tcp from any to 10.10.183.128/28 port =
22 flags S/SA keep state label "USER_RULE"
pass in log quick on $OPT2VLAN103 proto { tcp udp } from
10.10.183.128/28 to $resolvers port = 53 keep state label "USER_RULE:
let dns out"
pass in quick on $lan from 10.10.179.0/24 to any keep state label
"USER_RULE: Default LAN -> any"
# VPN Rules
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."
Questions:
- does one still need the NAT-directives for the IPs covered with binat?
- is the line that allows the resolvers out (see end, some lines up from
here) correct? It says "pass in", but shouldn't it say "pass out"?
cheers,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
