User Tools

Site Tools

Trace:
infrastruktur:it-services:netvaerk:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infrastruktur:it-services:netvaerk:firewall [2014/09/17 21:24] Georg Sluytermaninfrastruktur:it-services:netvaerk:firewall [2022/01/27 16:36] (current) Torsten Martinsen
Line 1: Line 1:
 ===== antonius.hal9k.dk ===== ===== antonius.hal9k.dk =====
-  * Services: Firewall / packet filter + 
-  * Jern: Virtuel på halvm1 +  * Services: Firewall/router 
-  * OS: OpenBSD+  * Jern: Edgerouter
   * Ansvarlig/kontaktperson: [[members:sman]], [[members:jbr]]   * Ansvarlig/kontaktperson: [[members:sman]], [[members:jbr]]
 +  * Adresse:
 +     * Udefra: antonius.hal9k.dk
 +     * Indefra: gateway.hal9k.dk
 +  * IP: 10.42.2.1
  
 ** Overordnede bemærkninger ** ** Overordnede bemærkninger **
Line 9: Line 13:
 //Denne side er begrænset til læsning for almindelige brugere.// //Denne side er begrænset til læsning for almindelige brugere.//
  
-Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :). 
- 
-Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet. 
- 
-**Konfigurationsfiler** 
- 
-/etc/rc.local (add): 
-<code> 
-if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then 
-        echo -n ' aiccu' 
-        /usr/local/sbin/aiccu start 
-fi 
-</code> 
- 
-install aiccu (pkg_add aiccu) 
- 
-net-snmpd 
-<code> 
-pkg_add net-snmp 
-</code> 
- 
-Enable in rc.conf 
- 
-Conf in /etc/snmp/snmpd.conf 
- 
- 
-/etc/sysctl.conf 
-<code> 
-net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets 
-net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets 
-</code> 
- 
-/etc/hostname.em0  
-<code> 
-description 'outside' 
-dhcp 
-</code> 
- 
-/etc/hostname.em1 
-<code> 
-description 'Wireless network' 
-inet 10.42.2.1 255.255.255.0 
-inet6 2001:16d8:dd56:2::1 64 
-</code> 
- 
-/etc/hostname.em2 
-<code> 
-description 'Cabled network' 
-inet 10.42.3.1 255.255.255.0 
-inet6 2001:16d8:dd56:3::1 64 
-</code> 
- 
-/etc/hostname.em3 
-<code> 
-description 'Server network' 
-inet 10.42.4.1 255.255.255.0 
-inet6 2001:16d8:dd56:4::1 64 
-</code> 
- 
-/etc/hostname.em4 
-<code> 
-description 'BMX network' 
-inet 10.42.5.1 255.255.255.0 
-inet6 2001:16d8:dd56:5::1 64 
-</code> 
- 
-For /etc/ssh/sshd_config ret: 
-<code> 
-PermitRootLogin without-password 
-</code> 
- 
-/etc/rtadvd.conf 
-<code> 
-em1:\ 
-        :addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10: 
- 
-em2:\ 
-        :addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10: 
-em4:\ 
-        :addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10: 
-</code> 
- 
-/etc/rc.conf.local 
-<code> 
-ntpd_flags=             # enabled during install 
-dhcpd_flags="em1 em2 em4" 
-rtadvd_flags="em1 em2 em4" 
-ftpproxy_flags="" 
- 
-</code> 
- 
-/etc/aiccu.conf 
-<code> 
-username GSW2-SIXXS 
-password s3cret 
-ipv6_interface gif0 
-tunnel_id T28389 
-verbose false 
-daemonize true 
-automatic true 
-requiretls false 
-</code> 
- 
-/etc/dhcpd.conf 
-<code> 
-# dhcpd.conf 
-# 
- 
-# option definitions common to all supported networks... 
-option domain-name "hal9k.dk"; 
-option domain-name-servers 89.233.43.71, 89.104.194.142; 
-option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73; 
-option time-offset 1; 
-default-lease-time 3600; 
-max-lease-time 7200; 
-#  filename "pxelinux.0"; 
-#  next-server 10.42.4.42; 
- 
-# If this DHCP server is the official DHCP server for the local 
-# network, the authoritative directive should be uncommented. 
-authoritative; 
- 
-##ddns-update-style none; 
- 
-# Use this to send dhcp log messages to a different log file (you also 
-# have to hack syslog.conf to complete the redirection). 
-##log-facility local7; 
- 
-#Wireless network 
-subnet 10.42.2.0 netmask 255.255.255.0 { 
-  range 10.42.2.100 10.42.2.254; 
-  option routers 10.42.2.1; 
-} 
- 
-#host example.hal9k.dk { 
-#   hardware ethernet 00:00:f3:00:00:33; 
-#   fixed-address 10.42.2.10; 
-#} 
- 
-#Cabled network 
-subnet 10.42.3.0 netmask 255.255.255.0 { 
-  range 10.42.3.100 10.42.3.254; 
-  option routers 10.42.3.1; 
- 
-  #next-server 10.42.4.9; 
-  #    get-lease-hostnames true; 
-  option subnet-mask 255.255.255.0; 
-  option root-path "/opt/ltsp/i386"; 
-  #if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" { 
-  #   filename "/ltsp/i386/pxelinux.0"; 
-  #} else { 
-  #    filename "/ltsp/i386/nbi.img"; 
-  #} 
- 
-  host printer1.hal9k.dk { 
-    hardware ethernet 00:00:f0:a9:c7:0f; 
-    fixed-address 10.42.3.12; 
-  } 
-  host halcam1.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:ef:c5; 
-    fixed-address 10.42.3.20; 
-  } 
-  host halcam2.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:ef:be; 
-    fixed-address 10.42.3.21; 
-  } 
-  host halcam3.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:e6:60; 
-    fixed-address 10.42.3.22; 
-  } 
-  host halcam4.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:e6:3c; 
-    fixed-address 10.42.3.23; 
-  } 
-  host halcam5.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:ef:cc; 
-    fixed-address 10.42.3.24; 
-  } 
-  host halcam6.hal9k.dk { 
-    hardware ethernet 80:1f:02:8b:ef:bd; 
-    fixed-address 10.42.3.25; 
-  } 
- 
- 
-} 
- 
-#host example2.hal9k.dk { 
-#   hardware ethernet 00:00:f3:00:00:33; 
-#   fixed-address 10.42.3.10; 
-#} 
- 
-#BMX network 
-subnet 10.42.5.0 netmask 255.255.255.0 { 
-  range 10.42.5.100 10.42.5.254; 
-  option routers 10.42.5.1; 
-} 
-</code> 
- 
-/etc/pf.conf 
-<code>                                                                                      
-# Rules for HAL9k. Last edited by sman 2013-08-15 
- 
-### Macros ### 
-ext_if  = "em0" 
-ext6_if = "tun0" 
-wlan_if = "em1" 
-clan_if = "em2" 
-srv_if  = "em3" 
-bmx_if  = "em4" 
-extv4   = "95.166.117.167" 
- 
-# SRV hosts 
-3dprint01  = "10.42.4.11" 
-3dprint016 = "2001:16d8:dd56:4::11" 
- 
-### Tables ### 
-table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 } 
-table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 } 
-table <srv_network>  const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 } 
-table <bmx_network>  const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 } 
-table <int_network>  const { 10.0.0.0/8, 2001:16d8:dd6e::/48 } 
-table <ip6_multic>   const { fe80::/10, ff00::/8 } 
-table <ext_addr>     const { 95.166.117.167, 2001:16d8:dd00:a1::2 } 
-table <switches>     const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 } 
-table <gip>          const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 }  
- 
- 
-### Options ### 
-set skip on lo 
-set limit states 100000 
-# Make AFS happy (call-backs) 
-set timeout udp.first    600 
-set timeout udp.single   600 
-set timeout udp.multiple 600 
- 
-### Traffic Normalization ### 
-match in all scrub (no-df) 
- 
-### Queueing ### 
- 
-### Translation ### 
-anchor "ftp-proxy/*" 
- 
-### Packet filtering ### 
-# Deny everything - first match 
-block in log all 
-pass out 
-#TEMP 
-pass in proto udp from <srv_network> to <clan_network> 
- 
-block in log quick from urpf-failed 
-pass  in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 
- 
-# Allow ssh, www and dhcp to self 
-pass  in proto {tcp,udp} from any to any port 67:68 # update this line.. 
-pass  in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 } 
-pass  in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 } 
-pass  in proto tcp from any to <ext_addr> port 80 
- 
-# Traffic from internal networks 
-pass  in on $wlan_if from <wlan_network> to any 
-pass  in on $wlan_if from <ip6_multic> to any 
-block in log on $wlan_if proto tcp from <wlan_network> to any port 25 
-pass  in on $clan_if from <clan_network> to any 
-pass  in on $clan_if from <ip6_multic> to any 
-pass  in on $bmx_if  from <bmx_network> to any 
-pass  in on $bmx_if  from <ip6_multic> to any 
-block in log on $bmx_if  proto tcp from <bmx_network> to any port 25 
-pass  in on $srv_if  from <srv_network>  to ! <int_network> 
-pass  in on $srv_if  from <srv_network> to self 
-pass  in on $srv_if  from <ip6_multic>  to ! <int_network> 
- 
-# NAT 
-match out on $ext_if inet from <int_network> to any nat-to $ext_if 
- 
-# Traffic from external networks 
- 
-# Allow ping to any 
-pass  in inet  proto icmp  from any to any icmp-type echoreq 
-pass  in inet6 proto icmp6 from any to any icmp6-type echoreq 
- 
-# SRV net 
-#pass  in on $ext_if  inet  proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell 
-#pass  in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443} 
- 
-# 3dprint01 (mchro) 
-pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2022 rdr-to $3dprint01 port 22 
-pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2059 rdr-to $3dprint01 port 5900 
-pass  in on $ext6_if inet6 proto tcp from any   to $3dprint016 port {22, 5900} 
  
-# sw1 sw2 (Georg) 
-pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161 
-pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161 
-</code> 
Permalink infrastruktur/it-services/netvaerk/firewall.1410981877.txt.gz · Last modified: 2014/09/17 21:24 by Georg Sluyterman

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
oeffentlich