URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 48048
[ Назад ]

Исходное сообщение
"PF"
Отправлено nvv , 08-Сен-04 15:23

Кто нибудь подскажет в чем дело. Я уже явно запретил с какого IP внутри сети запрещено ходь на порт 5190 (icq), а с это машины все равно к icq подключается. На двух интерфейсах на шлюзе стоит блокировать все по умолчанию

Содержание

PF,Brainbug, 15:31 , 08-Сен-04
- PF,nvv, 15:53 , 08-Сен-04
  - PF,Brainbug, 16:00 , 08-Сен-04
    - PF,nvv, 16:13 , 08-Сен-04
      - PF,shaman, 16:21 , 08-Сен-04
      - PF,Brainbug, 16:26 , 08-Сен-04

Сообщения в этом обсуждении

"PF"
Отправлено Brainbug , 08-Сен-04 15:31

>Кто нибудь подскажет в чем дело. Я уже явно запретил с какого
>IP внутри сети запрещено ходь на порт 5190 (icq), а с
>это машины все равно к icq подключается. На двух интерфейсах на
>шлюзе стоит блокировать все по умолчанию
1) Pokazi pravila.

"PF"
Отправлено nvv , 08-Сен-04 15:53

>>Кто нибудь подскажет в чем дело. Я уже явно запретил с какого
>>IP внутри сети запрещено ходь на порт 5190 (icq), а с
>>это машины все равно к icq подключается. На двух интерфейсах на
>>шлюзе стоит блокировать все по умолчанию
>1) Pokazi pravila.
ext_if="ep1"
int_if="xl0"
internal_net="10.0.0.0/24"
DMZ_net="192.168.0.0/24"
DMZ_server="{192.168.0.10,192.168.0.11}"
broadcast="192.168.0.255/24"
ftp_server="10.0.0.2"
web_server="10.0.0.2"
ssh_server="10.0.0.2"
mail_server="192.168.0.11"
tcp_servise_ext="80"
port_out="80,8080,443,25,110,119,53"
DNS_1="10.0.0.1"
DNS_EXT="212.44.130.6"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"

table <icq_user> { 10.0.0.39,10.0.0.96,10.0.0.70,10.0.0.62,10.0.0.53,10.0.0.28}
table <xxx> {207.46.110.30,207.46.104.20,207.46.110.16}
set optimization normal
set block-policy drop
scrub in all fragment reassemble
nat on $ext_if from {$internal_net,$DMZ_net} to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 9100 -> $mail_server port 9100
rdr on $int_if proto tcp from $internal_net to any port {80,8080} -> 127.0.0.1 port 3128
# Rules for $ext_if
block in log on $ext_if all
block in log on $ext_if proto tcp from any to $ext_if port 22
block in log on $ext_if proto tcp from { $CLASS_A, $CLASS_B, $CLASS_C}
block in log on $ext_if from {$DMZ_net, $internal_net}
block out on $ext_if from any to any
block out log on $ext_if from any to <xxx>
block out on $ext_if proto tcp from 192.168.0.11 to 206.253.23.162
pass on $ext_if proto icmp
pass out on $ext_if proto tcp from any to any port {$port_out} keep state
pass out on $ext_if proto {tcp,udp} from any to any port 53 keep state
pass in on $ext_if proto tcp from any to $ext_if port 25 keep state
#Pass rules on $ext_if for outgoing FTP
pass out on $ext_if proto tcp from any to any port 21 keep state
pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
#Rules to CGP mail server
pass in quick on $ext_if proto tcp from any to $mail_server port 9100 keep state
# Rules for lo0
pass quick on lo0 all
# Rules for $int_if
block on $int_if all
block log on $int_if from any to <xxx>
block in on $int_if from 192.168.0.11 to 206.253.23.162
block on $int_if proto tcp from 10.0.0.55 to any port 5190
pass on $int_if proto icmp keep state
pass in on $int_if proto tcp from any to any port {$port_out} keep state
pass on $int_if proto {tcp,udp} from {$DMZ_net, $internal_net} to any port 53 keep state
pass out on $int_if proto tcp from any to 192.168.0.11 port 25 keep state
# Access to this mashine from LAN !!!!
pass on $int_if proto tcp from {$internal_net, $DMZ_net} to $int_if port 22 keep state
#Pass rules on $ext_if for outgoing FTP
pass on $int_if proto tcp from any to any port 21 keep state
pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
block on $int_if proto tcp from 10.0.0.55 to any port 5190
#Rules for CGP
pass out quick on $int_if proto tcp from any to $mail_server port 9100 keep state

"PF"
Отправлено Brainbug , 08-Сен-04 16:00

>>>Кто нибудь подскажет в чем дело. Я уже явно запретил с какого
>>>IP внутри сети запрещено ходь на порт 5190 (icq), а с
>>>это машины все равно к icq подключается. На двух интерфейсах на
>>>шлюзе стоит блокировать все по умолчанию
>>1) Pokazi pravila.
>
>ext_if="ep1"
>int_if="xl0"
>internal_net="10.0.0.0/24"
>DMZ_net="192.168.0.0/24"
>DMZ_server="{192.168.0.10,192.168.0.11}"
>broadcast="192.168.0.255/24"
>ftp_server="10.0.0.2"
>web_server="10.0.0.2"
>ssh_server="10.0.0.2"
>mail_server="192.168.0.11"
>tcp_servise_ext="80"
>port_out="80,8080,443,25,110,119,53"
>DNS_1="10.0.0.1"
>DNS_EXT="212.44.130.6"
>CLASS_A="10.0.0.0/8"
>CLASS_B="172.16.0.0/16"
>CLASS_C="192.168.0.0/16"
>
>
>table <icq_user> { 10.0.0.39,10.0.0.96,10.0.0.70,10.0.0.62,10.0.0.53,10.0.0.28}
>table <xxx> {207.46.110.30,207.46.104.20,207.46.110.16}
>
>set optimization normal
>set block-policy drop
>
>scrub in all fragment reassemble
>
>nat on $ext_if from {$internal_net,$DMZ_net} to any -> ($ext_if)
>
>rdr on $ext_if proto tcp from any to $ext_if port 9100 -> $mail_server port 9100
>
>rdr on $int_if proto tcp from $internal_net to any port {80,8080} -> 127.0.0.1 port 3128
>
># Rules for $ext_if
>block in log on $ext_if all
>block in log on $ext_if proto tcp from any to $ext_if port
>22
>block in log on $ext_if proto tcp from { $CLASS_A, $CLASS_B, $CLASS_C}
>
>block in log on $ext_if from {$DMZ_net, $internal_net}
>block out on $ext_if from any to any
>block out log on $ext_if from any to <xxx>
>block out on $ext_if proto tcp from 192.168.0.11 to 206.253.23.162
>
>pass on $ext_if proto icmp
>pass out on $ext_if proto tcp from any to any port {$port_out}
>keep state
>pass out on $ext_if proto {tcp,udp} from any to any port 53
>keep state
>pass in on $ext_if proto tcp from any to $ext_if port 25
>keep state
>
>#Pass rules on $ext_if for outgoing FTP
>pass out on $ext_if proto tcp from any to any port 21
>keep state
>pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
>
>#Rules to CGP mail server
>pass in quick on $ext_if proto tcp from any to $mail_server port
>9100 keep state
>
># Rules for lo0
>pass quick on lo0 all
>
># Rules for $int_if
>block on $int_if all
>block log on $int_if from any to <xxx>
>block in on $int_if from 192.168.0.11 to 206.253.23.162
>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>
>pass on $int_if proto icmp keep state
>pass in on $int_if proto tcp from any to any port {$port_out}
>keep state
>pass on $int_if proto {tcp,udp} from {$DMZ_net, $internal_net} to any port 53
>keep state
>pass out on $int_if proto tcp from any to 192.168.0.11 port 25
>keep state
>
># Access to this mashine from LAN !!!!
>pass on $int_if proto tcp from {$internal_net, $DMZ_net} to $int_if port 22
>keep state
>
>#Pass rules on $ext_if for outgoing FTP
>pass on $int_if proto tcp from any to any port 21 keep
>state
>pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
>
>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>
>#Rules for CGP
>pass out quick on $int_if proto tcp from any to $mail_server port
>9100 keep state
Client port > 1024
ICQ port > 1024
Smotrim pravila:
...
pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
...
pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
Vhoda6ij na vnutrennem i ishoda6ij na vne6nem s zapisju v state tablicu dla izbezanija posleduju6ei proverki.

"PF"
Отправлено nvv , 08-Сен-04 16:13

>>>>Кто нибудь подскажет в чем дело. Я уже явно запретил с какого
>>>>IP внутри сети запрещено ходь на порт 5190 (icq), а с
>>>>это машины все равно к icq подключается. На двух интерфейсах на
>>>>шлюзе стоит блокировать все по умолчанию
>>>1) Pokazi pravila.
>>
>>ext_if="ep1"
>>int_if="xl0"
>>internal_net="10.0.0.0/24"
>>DMZ_net="192.168.0.0/24"
>>DMZ_server="{192.168.0.10,192.168.0.11}"
>>broadcast="192.168.0.255/24"
>>ftp_server="10.0.0.2"
>>web_server="10.0.0.2"
>>ssh_server="10.0.0.2"
>>mail_server="192.168.0.11"
>>tcp_servise_ext="80"
>>port_out="80,8080,443,25,110,119,53"
>>DNS_1="10.0.0.1"
>>DNS_EXT="212.44.130.6"
>>CLASS_A="10.0.0.0/8"
>>CLASS_B="172.16.0.0/16"
>>CLASS_C="192.168.0.0/16"
>>
>>
>>table <icq_user> { 10.0.0.39,10.0.0.96,10.0.0.70,10.0.0.62,10.0.0.53,10.0.0.28}
>>table <xxx> {207.46.110.30,207.46.104.20,207.46.110.16}
>>
>>set optimization normal
>>set block-policy drop
>>
>>scrub in all fragment reassemble
>>
>>nat on $ext_if from {$internal_net,$DMZ_net} to any -> ($ext_if)
>>
>>rdr on $ext_if proto tcp from any to $ext_if port 9100 -> $mail_server port 9100
>>
>>rdr on $int_if proto tcp from $internal_net to any port {80,8080} -> 127.0.0.1 port 3128
>>
>># Rules for $ext_if
>>block in log on $ext_if all
>>block in log on $ext_if proto tcp from any to $ext_if port
>>22
>>block in log on $ext_if proto tcp from { $CLASS_A, $CLASS_B, $CLASS_C}
>>
>>block in log on $ext_if from {$DMZ_net, $internal_net}
>>block out on $ext_if from any to any
>>block out log on $ext_if from any to <xxx>
>>block out on $ext_if proto tcp from 192.168.0.11 to 206.253.23.162
>>
>>pass on $ext_if proto icmp
>>pass out on $ext_if proto tcp from any to any port {$port_out}
>>keep state
>>pass out on $ext_if proto {tcp,udp} from any to any port 53
>>keep state
>>pass in on $ext_if proto tcp from any to $ext_if port 25
>>keep state
>>
>>#Pass rules on $ext_if for outgoing FTP
>>pass out on $ext_if proto tcp from any to any port 21
>>keep state
>>pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
>>
>>#Rules to CGP mail server
>>pass in quick on $ext_if proto tcp from any to $mail_server port
>>9100 keep state
>>
>># Rules for lo0
>>pass quick on lo0 all
>>
>># Rules for $int_if
>>block on $int_if all
>>block log on $int_if from any to <xxx>
>>block in on $int_if from 192.168.0.11 to 206.253.23.162
>>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>>
>>pass on $int_if proto icmp keep state
>>pass in on $int_if proto tcp from any to any port {$port_out}
>>keep state
>>pass on $int_if proto {tcp,udp} from {$DMZ_net, $internal_net} to any port 53
>>keep state
>>pass out on $int_if proto tcp from any to 192.168.0.11 port 25
>>keep state
>>
>># Access to this mashine from LAN !!!!
>>pass on $int_if proto tcp from {$internal_net, $DMZ_net} to $int_if port 22
>>keep state
>>
>>#Pass rules on $ext_if for outgoing FTP
>>pass on $int_if proto tcp from any to any port 21 keep
>>state
>>pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
>>
>>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>>
>>#Rules for CGP
>>pass out quick on $int_if proto tcp from any to $mail_server port
>>9100 keep state
>
>Client port > 1024
>ICQ port > 1024
>Smotrim pravila:
>...
>pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
>...
>pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
>
>Vhoda6ij na vnutrennem i ishoda6ij na vne6nem s zapisju v state tablicu
>dla izbezanija posleduju6ei proverki.
это я сделал для ftp. Что же мне делать. И тем более на внутреннем интерфейсе я же написал что все входящие на порт 5190 отрубить ?

"PF"
Отправлено shaman , 08-Сен-04 16:21

Руби не порт, а аськины подсети
---
wbr, shaman
http://www.akeeper.ru

"PF"
Отправлено Brainbug , 08-Сен-04 16:26

>>>>>Кто нибудь подскажет в чем дело. Я уже явно запретил с какого
>>>>>IP внутри сети запрещено ходь на порт 5190 (icq), а с
>>>>>это машины все равно к icq подключается. На двух интерфейсах на
>>>>>шлюзе стоит блокировать все по умолчанию
>>>>1) Pokazi pravila.
>>>
>>>ext_if="ep1"
>>>int_if="xl0"
>>>internal_net="10.0.0.0/24"
>>>DMZ_net="192.168.0.0/24"
>>>DMZ_server="{192.168.0.10,192.168.0.11}"
>>>broadcast="192.168.0.255/24"
>>>ftp_server="10.0.0.2"
>>>web_server="10.0.0.2"
>>>ssh_server="10.0.0.2"
>>>mail_server="192.168.0.11"
>>>tcp_servise_ext="80"
>>>port_out="80,8080,443,25,110,119,53"
>>>DNS_1="10.0.0.1"
>>>DNS_EXT="212.44.130.6"
>>>CLASS_A="10.0.0.0/8"
>>>CLASS_B="172.16.0.0/16"
>>>CLASS_C="192.168.0.0/16"
>>>
>>>
>>>table <icq_user> { 10.0.0.39,10.0.0.96,10.0.0.70,10.0.0.62,10.0.0.53,10.0.0.28}
>>>table <xxx> {207.46.110.30,207.46.104.20,207.46.110.16}
>>>
>>>set optimization normal
>>>set block-policy drop
>>>
>>>scrub in all fragment reassemble
>>>
>>>nat on $ext_if from {$internal_net,$DMZ_net} to any -> ($ext_if)
>>>
>>>rdr on $ext_if proto tcp from any to $ext_if port 9100 -> $mail_server port 9100
>>>
>>>rdr on $int_if proto tcp from $internal_net to any port {80,8080} -> 127.0.0.1 port 3128
>>>
>>># Rules for $ext_if
>>>block in log on $ext_if all
>>>block in log on $ext_if proto tcp from any to $ext_if port
>>>22
>>>block in log on $ext_if proto tcp from { $CLASS_A, $CLASS_B, $CLASS_C}
>>>
>>>block in log on $ext_if from {$DMZ_net, $internal_net}
>>>block out on $ext_if from any to any
>>>block out log on $ext_if from any to <xxx>
>>>block out on $ext_if proto tcp from 192.168.0.11 to 206.253.23.162
>>>
>>>pass on $ext_if proto icmp
>>>pass out on $ext_if proto tcp from any to any port {$port_out}
>>>keep state
>>>pass out on $ext_if proto {tcp,udp} from any to any port 53
>>>keep state
>>>pass in on $ext_if proto tcp from any to $ext_if port 25
>>>keep state
>>>
>>>#Pass rules on $ext_if for outgoing FTP
>>>pass out on $ext_if proto tcp from any to any port 21
>>>keep state
>>>pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
>>>
>>>#Rules to CGP mail server
>>>pass in quick on $ext_if proto tcp from any to $mail_server port
>>>9100 keep state
>>>
>>># Rules for lo0
>>>pass quick on lo0 all
>>>
>>># Rules for $int_if
>>>block on $int_if all
>>>block log on $int_if from any to <xxx>
>>>block in on $int_if from 192.168.0.11 to 206.253.23.162
>>>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>>>
>>>pass on $int_if proto icmp keep state
>>>pass in on $int_if proto tcp from any to any port {$port_out}
>>>keep state
>>>pass on $int_if proto {tcp,udp} from {$DMZ_net, $internal_net} to any port 53
>>>keep state
>>>pass out on $int_if proto tcp from any to 192.168.0.11 port 25
>>>keep state
>>>
>>># Access to this mashine from LAN !!!!
>>>pass on $int_if proto tcp from {$internal_net, $DMZ_net} to $int_if port 22
>>>keep state
>>>
>>>#Pass rules on $ext_if for outgoing FTP
>>>pass on $int_if proto tcp from any to any port 21 keep
>>>state
>>>pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
>>>
>>>block on $int_if proto tcp from 10.0.0.55 to any port 5190
>>>
>>>#Rules for CGP
>>>pass out quick on $int_if proto tcp from any to $mail_server port
>>>9100 keep state
>>
>>Client port > 1024
>>ICQ port > 1024
>>Smotrim pravila:
>>...
>>pass out quick on $ext_if proto tcp from any port > 1023 to any port > 1023 keep state
>>...
>>pass in quick on $int_if proto tcp from any port > 1023 to any port > 1023 keep state
>>
>>Vhoda6ij na vnutrennem i ishoda6ij na vne6nem s zapisju v state tablicu
>>dla izbezanija posleduju6ei proverki.
>
>это я сделал для ftp. Что же мне делать. И тем более
>на внутреннем интерфейсе я же написал что все входящие на порт
>5190 отрубить ?
Dumaju stoit po4itat po povodu poradka obrabotki pravil v pf filtre.
Obrati vnimanije na quick opciju.
Nu a jesli sovsemprosto, togda:
block quick on $int_if proto tcp from 10.0.0.55 to any port 5190