This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
infrastruktur:it-services:netvaerk:firewall [2014/09/17 21:24] – Georg Sluyterman | infrastruktur:it-services:netvaerk:firewall [2022/01/27 16:36] (current) – Torsten Martinsen | ||
---|---|---|---|
Line 1: | Line 1: | ||
===== antonius.hal9k.dk ===== | ===== antonius.hal9k.dk ===== | ||
- | | + | |
- | * Jern: Virtuel på halvm1 | + | |
- | * OS: OpenBSD | + | * Jern: Edgerouter |
* Ansvarlig/ | * Ansvarlig/ | ||
+ | * Adresse: | ||
+ | * Udefra: antonius.hal9k.dk | ||
+ | * Indefra: gateway.hal9k.dk | ||
+ | * IP: 10.42.2.1 | ||
** Overordnede bemærkninger ** | ** Overordnede bemærkninger ** | ||
Line 9: | Line 13: | ||
//Denne side er begrænset til læsning for almindelige brugere.// | //Denne side er begrænset til læsning for almindelige brugere.// | ||
- | Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk / | ||
- | |||
- | Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet. | ||
- | |||
- | **Konfigurationsfiler** | ||
- | |||
- | / | ||
- | < | ||
- | if [ -x / | ||
- | echo -n ' aiccu' | ||
- | / | ||
- | fi | ||
- | </ | ||
- | |||
- | install aiccu (pkg_add aiccu) | ||
- | |||
- | net-snmpd | ||
- | < | ||
- | pkg_add net-snmp | ||
- | </ | ||
- | |||
- | Enable in rc.conf | ||
- | |||
- | Conf in / | ||
- | |||
- | |||
- | / | ||
- | < | ||
- | net.inet.ip.forwarding=1 | ||
- | net.inet6.ip6.forwarding=1 | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | description ' | ||
- | dhcp | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | description ' | ||
- | inet 10.42.2.1 255.255.255.0 | ||
- | inet6 2001: | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | description ' | ||
- | inet 10.42.3.1 255.255.255.0 | ||
- | inet6 2001: | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | description ' | ||
- | inet 10.42.4.1 255.255.255.0 | ||
- | inet6 2001: | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | description 'BMX network' | ||
- | inet 10.42.5.1 255.255.255.0 | ||
- | inet6 2001: | ||
- | </ | ||
- | |||
- | For / | ||
- | < | ||
- | PermitRootLogin without-password | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | em1:\ | ||
- | : | ||
- | |||
- | em2:\ | ||
- | : | ||
- | em4:\ | ||
- | : | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | ntpd_flags= | ||
- | dhcpd_flags=" | ||
- | rtadvd_flags=" | ||
- | ftpproxy_flags="" | ||
- | |||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | username GSW2-SIXXS | ||
- | password s3cret | ||
- | ipv6_interface gif0 | ||
- | tunnel_id T28389 | ||
- | verbose false | ||
- | daemonize true | ||
- | automatic true | ||
- | requiretls false | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | # dhcpd.conf | ||
- | # | ||
- | |||
- | # option definitions common to all supported networks... | ||
- | option domain-name " | ||
- | option domain-name-servers 89.233.43.71, | ||
- | option ntp-servers 130.225.51.74, | ||
- | option time-offset 1; | ||
- | default-lease-time 3600; | ||
- | max-lease-time 7200; | ||
- | # filename " | ||
- | # next-server 10.42.4.42; | ||
- | |||
- | # If this DHCP server is the official DHCP server for the local | ||
- | # network, the authoritative directive should be uncommented. | ||
- | authoritative; | ||
- | |||
- | ## | ||
- | |||
- | # Use this to send dhcp log messages to a different log file (you also | ||
- | # have to hack syslog.conf to complete the redirection). | ||
- | ## | ||
- | |||
- | #Wireless network | ||
- | subnet 10.42.2.0 netmask 255.255.255.0 { | ||
- | range 10.42.2.100 10.42.2.254; | ||
- | option routers 10.42.2.1; | ||
- | } | ||
- | |||
- | #host example.hal9k.dk { | ||
- | # | ||
- | # | ||
- | #} | ||
- | |||
- | #Cabled network | ||
- | subnet 10.42.3.0 netmask 255.255.255.0 { | ||
- | range 10.42.3.100 10.42.3.254; | ||
- | option routers 10.42.3.1; | ||
- | |||
- | # | ||
- | # get-lease-hostnames true; | ||
- | option subnet-mask 255.255.255.0; | ||
- | option root-path "/ | ||
- | #if substring( option vendor-class-identifier, | ||
- | # | ||
- | #} else { | ||
- | # filename "/ | ||
- | #} | ||
- | |||
- | host printer1.hal9k.dk { | ||
- | hardware ethernet 00: | ||
- | fixed-address 10.42.3.12; | ||
- | } | ||
- | host halcam1.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.20; | ||
- | } | ||
- | host halcam2.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.21; | ||
- | } | ||
- | host halcam3.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.22; | ||
- | } | ||
- | host halcam4.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.23; | ||
- | } | ||
- | host halcam5.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.24; | ||
- | } | ||
- | host halcam6.hal9k.dk { | ||
- | hardware ethernet 80: | ||
- | fixed-address 10.42.3.25; | ||
- | } | ||
- | |||
- | |||
- | } | ||
- | |||
- | #host example2.hal9k.dk { | ||
- | # | ||
- | # | ||
- | #} | ||
- | |||
- | #BMX network | ||
- | subnet 10.42.5.0 netmask 255.255.255.0 { | ||
- | range 10.42.5.100 10.42.5.254; | ||
- | option routers 10.42.5.1; | ||
- | } | ||
- | </ | ||
- | |||
- | / | ||
- | < | ||
- | # Rules for HAL9k. Last edited by sman 2013-08-15 | ||
- | |||
- | ### Macros ### | ||
- | ext_if | ||
- | ext6_if = " | ||
- | wlan_if = " | ||
- | clan_if = " | ||
- | srv_if | ||
- | bmx_if | ||
- | extv4 = " | ||
- | |||
- | # SRV hosts | ||
- | 3dprint01 | ||
- | 3dprint016 = " | ||
- | |||
- | ### Tables ### | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | table < | ||
- | |||
- | |||
- | ### Options ### | ||
- | set skip on lo | ||
- | set limit states 100000 | ||
- | # Make AFS happy (call-backs) | ||
- | set timeout udp.first | ||
- | set timeout udp.single | ||
- | set timeout udp.multiple 600 | ||
- | |||
- | ### Traffic Normalization ### | ||
- | match in all scrub (no-df) | ||
- | |||
- | ### Queueing ### | ||
- | |||
- | ### Translation ### | ||
- | anchor " | ||
- | |||
- | ### Packet filtering ### | ||
- | # Deny everything - first match | ||
- | block in log all | ||
- | pass out | ||
- | #TEMP | ||
- | pass in proto udp from < | ||
- | |||
- | block in log quick from urpf-failed | ||
- | pass in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 | ||
- | |||
- | # Allow ssh, www and dhcp to self | ||
- | pass in proto {tcp,udp} from any to any port 67:68 # update this line.. | ||
- | pass in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 } | ||
- | pass in on $ext6_if proto tcp from any to < | ||
- | pass in proto tcp from any to < | ||
- | |||
- | # Traffic from internal networks | ||
- | pass in on $wlan_if from < | ||
- | pass in on $wlan_if from < | ||
- | block in log on $wlan_if proto tcp from < | ||
- | pass in on $clan_if from < | ||
- | pass in on $clan_if from < | ||
- | pass in on $bmx_if | ||
- | pass in on $bmx_if | ||
- | block in log on $bmx_if | ||
- | pass in on $srv_if | ||
- | pass in on $srv_if | ||
- | pass in on $srv_if | ||
- | |||
- | # NAT | ||
- | match out on $ext_if inet from < | ||
- | |||
- | # Traffic from external networks | ||
- | |||
- | # Allow ping to any | ||
- | pass in inet proto icmp from any to any icmp-type echoreq | ||
- | pass in inet6 proto icmp6 from any to any icmp6-type echoreq | ||
- | |||
- | # SRV net | ||
- | #pass in on $ext_if | ||
- | #pass in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443} | ||
- | |||
- | # 3dprint01 (mchro) | ||
- | pass in on $ext_if | ||
- | pass in on $ext_if | ||
- | pass in on $ext6_if inet6 proto tcp from any to $3dprint016 port {22, 5900} | ||
- | # sw1 sw2 (Georg) | ||
- | pass in on $ext6_if proto { tcp, udp } from <gip> to < | ||
- | pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161 | ||
- | </ |