Ключевые слова:route, firewall, openbsd, ipfilter, example, (найти похожие документы)
From: Evan S <kaworu@sektor7.ath.cx>
Subject: Пример настройки router/firewall под OpenBSD (eng)
Setting up an OpenBSD router/firewall
----------------------------
Evan S / kaworu@sektor7.ath.cx
You're probably a geek like me. You have atleast seven boxen laying
around, waiting to access the outside world. Just recently, I aquired
a cable modem, so I said to myself, what better time than now? I went
over a list of possible hardware solutions for my router.
1. Linksys Cable Modem/DSL router. $150
2. A Linux box acting as a router.
3. An OpenBSD box acting as a router.
I immidately crossed off the first option, since, I had a 486 laying
around doing nothing, plus, it was very expensive. Now, I had to
decide between Linux and OpenBSD. If you're very comfortable with
Linux, have cards that work with it, than choose Linux. I choose
OpenBSD for the following reasons:
1. An OpenBSD router is %15 faster than Linux, and FreeBSD-based
routers.
2. It is the most secure operating system in the world.
However, I did have a hell of a time finding the network cards for it.
I suggest buying two 3c509B 3com ISA network cards. Unfortunitley,
they're isapnp, but, all I had to do was insert the driver disk, and
set the I/Os and irqs, it wasn't that hard.
In OpenBSD, I have ep0, and ep1. I connected ep0 to my cable modem,
and ep1 to my switch.
ifconfig output:
ep0: flags=8863 mtu 1500
media: Ethernet 10baseT
inet6 fe80::220:afff:fe17:38c9%ep0 prefixlen 64 scopeid 0x1
inet 146.115.66.104 netmask 0xfffffe00 broadcast 255.255.255.255
ep1: flags=8863 mtu 1500
media: Ethernet 10baseT
inet 169.69.6.1 netmask 0xffffff00 broadcast 169.69.6.255
inet6 fe80::2a0:24ff:fe2b:4886%ep1 prefixlen 64 scopeid 0x2
My network runs on 169.69.6.0/24. Now, here comes the NAT part of the
process. Be sure you have these options set:
1. Adding an entry to /etc/rc.conf looking like:
ipfilter=YES
ipnat=YES # for "YES" ipfilter must also be "YES"
ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
2. Edit /etc/ipnat.rules
Just for clarifiaction. /32 does an ifconfig and grabs the ip adress
of the interface. So ep0/32 = 146.115.66.104
example: (change these values to fit your network)
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
map ep0 169.69.6.0/24 -> ep0/32 portmap tcp/udp 1024:20000
# maps tcp/udp connections on my network through ports 1024 -> 20000
map ep0 169.69.6.0/24 -> ep0/32
# maps ICMP, etc
rdr ep0 ep0/32 port 24 -> 169.69.6.5 port 22
# redirects traffic coming from the outside on port 24 to my sparc on port 22
rdr ep0 ep0/32 port 25 -> 169.69.6.5 port 25
# redirects traffic coming from the outside on port 25 to my sparc on port 25
3. Edit /etc/sysctl.conf to allow IP forwarding:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
4. Reboot
Everything should work now. On your other Unix boxen, type these
commands:
route add default $IPADDRESSOFROUTER
edit /etc/resolv.conf and enter the ip addresses of your ISPs nameserver.
try and ping the outside world, it should work.
In Windows, go to control panel and do that stuff.
Firewall Configuration:
This is probably _the_ most important part of your configuration
process. Read themanpage on ipf, and configure the firewall to fit
your needs. Mine is configured as such:
from /etc/ipf.rules
# $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $
#
# IP filtering rules. See the ipf(5) man page for more
# information on the format of this file, and /usr/share/ipf
# for example configuration files.
#
# Pass all packets by default.
# edit the ipfilter= line in /etc/rc.conf to enable IP filtering
#
# block in on tun0 proto tcp from any to any port = 6000
# block in on tun0 proto tcp from any to any port = 111
# pass in from any to any
# pass out from any to any
# Misc rules
pass in log on ep0 proto tcp from any to any port = 22
block in log proto icmp all icmp-type 8
block in log proto icmp all icmp-type 13
block in log proto icmp all icmp-type 15
block in log proto icmp all icmp-type 17
block in log on ep0 proto tcp from any to any port = 3306
# Deny outside illegals
block in log quick on ep0 from 0.0.0.0/32 to any
block in log quick on ep0 from 255.255.255.255/32 to any
block in log quick on ep0 from 127.0.0.0/8 to any
block in log quick on ep0 from any to 0.0.0.0/32
block in log quick on ep0 from any to 255.255.255.255/32
block in log quick on ep0 from any to 127.0.0.0/8
#never pakets
block in log quick on ep0 from 192.168.0.0/16 to any
block in log quick on ep0 from 172.16.0.0/12 to any
block in log quick on ep0 from 10.0.0.0/8 to any
block in log quick on ep0 from 192.168.6.0/16 to any