HardmanCummings Posted February 19, 2015 Report Share Posted February 19, 2015 Satt o kollade igenom en äldre backup disk, så fann jag min tidigare brandväggs config. Minnen från förr, men jag tror att möjligen det finns folk som vill leka med OpenBSD istället för linux, så jag bjuder på mitt script för de som vill pf.conf ### Start ### #-> Net Interfaces lo = lo0 int = sis0 ext = sis1 dmz = sis2 #-> Netz bfnet = "10.10.10.0/24" bfdmz = "10.110.110.0/24" #-> Hosts bftv = "10.10.10.10" bfweb = "10.110.110.10" #-> Ports potv = "{ 9000 }" # Misc poweb = "{ 80, 443 }" # Web server #-> Reserved Networks reserved = " { 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 } " #-> PF Settings set limit { states 20000, frags 20000 } set block-policy drop set optimization aggressive scrub in on $ext all #-> NAT Rules nat on $ext inet from $bfnet to any -> ($ext) nat on $ext inet from $bfdmz to any -> ($ext) #-> Port Forwards rdr on $ext proto { tcp, udp } from any to ($ext) port $potv -> $bftv rdr on $ext proto { tcp, udp } from any to ($ext) port $poweb -> $bfweb rdr on $ext proto tcp from any to ($ext) port 2001 -> $bfweb port ssh rdr on $int proto { tcp, udp } from $bfnet to $ext port $poweb -> $bfweb no nat on $int proto { tcp, udp } from $bfnet to $dmz nat on $int proto { tcp, udp } from $bfnet to $bfweb port $poweb -> $dmz pass quick on $lo all antispoof for { $lo, $int, $ext, $dmz } pass quick on { $int, $dmz } all block in quick on $ext from $reserved to any block in on $ext all block out quick on $ext inet from ! ($ext) to any pass in on $ext inet proto icmp all icmp-type 8 code 0 keep state pass in log quick on $ext proto tcp from any to any port 22 flags S/SA keep state pass in quick on $ext proto { tcp, udp } from any to any port $poweb keep state pass in quick on $ext proto { tcp, udp } from any to any port $potv keep state pass in quick on $ext proto { tcp, udp } from any to any port 2001 keep state pass out on $ext proto {tcp, udp, icmp} all keep state ### end ### Link to comment Share on other sites More sharing options...
HardmanCummings Posted February 19, 2015 Author Report Share Posted February 19, 2015 Borde tillägga att jag körde detta på en Soekris http://soekris.com/products/eol-products/net4801.html Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now