The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Пример настройки router/firewall под OpenBSD (eng) (route firewall openbsd ipfilter example)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: route, firewall, openbsd, ipfilter, example,  (найти похожие документы)
From: Evan S <kaworu@sektor7.ath.cx> Subject: Пример настройки router/firewall под OpenBSD (eng) Setting up an OpenBSD router/firewall ---------------------------- Evan S / kaworu@sektor7.ath.cx You're probably a geek like me. You have atleast seven boxen laying around, waiting to access the outside world. Just recently, I aquired a cable modem, so I said to myself, what better time than now? I went over a list of possible hardware solutions for my router. 1. Linksys Cable Modem/DSL router. $150 2. A Linux box acting as a router. 3. An OpenBSD box acting as a router. I immidately crossed off the first option, since, I had a 486 laying around doing nothing, plus, it was very expensive. Now, I had to decide between Linux and OpenBSD. If you're very comfortable with Linux, have cards that work with it, than choose Linux. I choose OpenBSD for the following reasons: 1. An OpenBSD router is %15 faster than Linux, and FreeBSD-based routers. 2. It is the most secure operating system in the world. However, I did have a hell of a time finding the network cards for it. I suggest buying two 3c509B 3com ISA network cards. Unfortunitley, they're isapnp, but, all I had to do was insert the driver disk, and set the I/Os and irqs, it wasn't that hard. In OpenBSD, I have ep0, and ep1. I connected ep0 to my cable modem, and ep1 to my switch. ifconfig output: ep0: flags=8863 mtu 1500 media: Ethernet 10baseT inet6 fe80::220:afff:fe17:38c9%ep0 prefixlen 64 scopeid 0x1 inet 146.115.66.104 netmask 0xfffffe00 broadcast 255.255.255.255 ep1: flags=8863 mtu 1500 media: Ethernet 10baseT inet 169.69.6.1 netmask 0xffffff00 broadcast 169.69.6.255 inet6 fe80::2a0:24ff:fe2b:4886%ep1 prefixlen 64 scopeid 0x2 My network runs on 169.69.6.0/24. Now, here comes the NAT part of the process. Be sure you have these options set: 1. Adding an entry to /etc/rc.conf looking like: ipfilter=YES ipnat=YES # for "YES" ipfilter must also be "YES" ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation 2. Edit /etc/ipnat.rules Just for clarifiaction. /32 does an ifconfig and grabs the ip adress of the interface. So ep0/32 = 146.115.66.104 example: (change these values to fit your network) # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $ # # See /usr/share/ipf/nat.1 for examples. # edit the ipnat= line in /etc/rc.conf to enable Network Address Translation map ep0 169.69.6.0/24 -> ep0/32 portmap tcp/udp 1024:20000 # maps tcp/udp connections on my network through ports 1024 -> 20000 map ep0 169.69.6.0/24 -> ep0/32 # maps ICMP, etc rdr ep0 ep0/32 port 24 -> 169.69.6.5 port 22 # redirects traffic coming from the outside on port 24 to my sparc on port 22 rdr ep0 ep0/32 port 25 -> 169.69.6.5 port 25 # redirects traffic coming from the outside on port 25 to my sparc on port 25 3. Edit /etc/sysctl.conf to allow IP forwarding: net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets 4. Reboot Everything should work now. On your other Unix boxen, type these commands: route add default $IPADDRESSOFROUTER edit /etc/resolv.conf and enter the ip addresses of your ISPs nameserver. try and ping the outside world, it should work. In Windows, go to control panel and do that stuff. Firewall Configuration: This is probably _the_ most important part of your configuration process. Read themanpage on ipf, and configure the firewall to fit your needs. Mine is configured as such: from /etc/ipf.rules # $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $ # # IP filtering rules. See the ipf(5) man page for more # information on the format of this file, and /usr/share/ipf # for example configuration files. # # Pass all packets by default. # edit the ipfilter= line in /etc/rc.conf to enable IP filtering # # block in on tun0 proto tcp from any to any port = 6000 # block in on tun0 proto tcp from any to any port = 111 # pass in from any to any # pass out from any to any # Misc rules pass in log on ep0 proto tcp from any to any port = 22 block in log proto icmp all icmp-type 8 block in log proto icmp all icmp-type 13 block in log proto icmp all icmp-type 15 block in log proto icmp all icmp-type 17 block in log on ep0 proto tcp from any to any port = 3306 # Deny outside illegals block in log quick on ep0 from 0.0.0.0/32 to any block in log quick on ep0 from 255.255.255.255/32 to any block in log quick on ep0 from 127.0.0.0/8 to any block in log quick on ep0 from any to 0.0.0.0/32 block in log quick on ep0 from any to 255.255.255.255/32 block in log quick on ep0 from any to 127.0.0.0/8 #never pakets block in log quick on ep0 from 192.168.0.0/16 to any block in log quick on ep0 from 172.16.0.0/12 to any block in log quick on ep0 from 10.0.0.0/8 to any block in log quick on ep0 from 192.168.6.0/16 to any

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

 Добавить комментарий
Имя:
E-Mail:
Заголовок:
Текст:




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру