Mailing lists
- Announcements of talks, and major events. 1-2 mails/month.
Chat
IRC channel #hal9k at Freenode.
You can use Freenodes web-chat in your browser.
User Tools
Site Tools
Sidebar
infrastruktur:it-services:netvaerk:firewall
This is an old revision of the document!
antonius.hal9k.dk
- Services: Firewall / packet filter
- Jern: Virtuel på halvm1
- OS: OpenBSD
- Ansvarlig/kontaktperson: Georg Sluyterman, Jesper Brix Rosenkilde
Overordnede bemærkninger
Denne side er begrænset til læsning for almindelige brugere.
Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :).
Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet.
Konfigurationsfiler
/etc/rc.local (add):
if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then
echo -n ' aiccu'
/usr/local/sbin/aiccu start
fi
install aiccu (pkg_add aiccu)
net-snmpd
pkg_add net-snmp
Enable in rc.conf
Conf in /etc/snmp/snmpd.conf
/etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
/etc/hostname.em0
description 'outside' dhcp
/etc/hostname.em1
description 'Wireless network' inet 10.42.2.1 255.255.255.0 inet6 2001:16d8:dd56:2::1 64
/etc/hostname.em2
description 'Cabled network' inet 10.42.3.1 255.255.255.0 inet6 2001:16d8:dd56:3::1 64
/etc/hostname.em3
description 'Server network' inet 10.42.4.1 255.255.255.0 inet6 2001:16d8:dd56:4::1 64
/etc/hostname.em4
description 'BMX network' inet 10.42.5.1 255.255.255.0 inet6 2001:16d8:dd56:5::1 64
For /etc/ssh/sshd_config ret:
PermitRootLogin without-password
/etc/rtadvd.conf
em1:\
:addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
em2:\
:addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
em4:\
:addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
/etc/rc.conf.local
ntpd_flags= # enabled during install dhcpd_flags="em1 em2 em4" rtadvd_flags="em1 em2 em4" ftpproxy_flags=""
/etc/aiccu.conf
username GSW2-SIXXS password s3cret ipv6_interface gif0 tunnel_id T28389 verbose false daemonize true automatic true requiretls false
/etc/dhcpd.conf
# dhcpd.conf
#
# option definitions common to all supported networks...
option domain-name "hal9k.dk";
option domain-name-servers 89.233.43.71, 89.104.194.142;
option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73;
option time-offset 1;
default-lease-time 3600;
max-lease-time 7200;
# filename "pxelinux.0";
# next-server 10.42.4.42;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
##ddns-update-style none;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
##log-facility local7;
#Wireless network
subnet 10.42.2.0 netmask 255.255.255.0 {
range 10.42.2.100 10.42.2.254;
option routers 10.42.2.1;
}
#host example.hal9k.dk {
# hardware ethernet 00:00:f3:00:00:33;
# fixed-address 10.42.2.10;
#}
#Cabled network
subnet 10.42.3.0 netmask 255.255.255.0 {
range 10.42.3.100 10.42.3.254;
option routers 10.42.3.1;
#next-server 10.42.4.9;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
option root-path "/opt/ltsp/i386";
#if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
# filename "/ltsp/i386/pxelinux.0";
#} else {
# filename "/ltsp/i386/nbi.img";
#}
host printer1.hal9k.dk {
hardware ethernet 00:00:f0:a9:c7:0f;
fixed-address 10.42.3.12;
}
host halcam1.hal9k.dk {
hardware ethernet 80:1f:02:8b:ef:c5;
fixed-address 10.42.3.20;
}
host halcam2.hal9k.dk {
hardware ethernet 80:1f:02:8b:ef:be;
fixed-address 10.42.3.21;
}
host halcam3.hal9k.dk {
hardware ethernet 80:1f:02:8b:e6:60;
fixed-address 10.42.3.22;
}
host halcam4.hal9k.dk {
hardware ethernet 80:1f:02:8b:e6:3c;
fixed-address 10.42.3.23;
}
host halcam5.hal9k.dk {
hardware ethernet 80:1f:02:8b:ef:cc;
fixed-address 10.42.3.24;
}
host halcam6.hal9k.dk {
hardware ethernet 80:1f:02:8b:ef:bd;
fixed-address 10.42.3.25;
}
}
#host example2.hal9k.dk {
# hardware ethernet 00:00:f3:00:00:33;
# fixed-address 10.42.3.10;
#}
#BMX network
subnet 10.42.5.0 netmask 255.255.255.0 {
range 10.42.5.100 10.42.5.254;
option routers 10.42.5.1;
}
/etc/pf.conf
# Rules for HAL9k. Last edited by sman 2013-08-15
### Macros ###
ext_if = "em0"
ext6_if = "tun0"
wlan_if = "em1"
clan_if = "em2"
srv_if = "em3"
bmx_if = "em4"
extv4 = "95.166.117.167"
# SRV hosts
3dprint01 = "10.42.4.11"
3dprint016 = "2001:16d8:dd56:4::11"
### Tables ###
table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 }
table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 }
table <srv_network> const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 }
table <bmx_network> const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 }
table <int_network> const { 10.0.0.0/8, 2001:16d8:dd6e::/48 }
table <ip6_multic> const { fe80::/10, ff00::/8 }
table <ext_addr> const { 95.166.117.167, 2001:16d8:dd00:a1::2 }
table <switches> const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 }
table <gip> const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 }
### Options ###
set skip on lo
set limit states 100000
# Make AFS happy (call-backs)
set timeout udp.first 600
set timeout udp.single 600
set timeout udp.multiple 600
### Traffic Normalization ###
match in all scrub (no-df)
### Queueing ###
### Translation ###
anchor "ftp-proxy/*"
### Packet filtering ###
# Deny everything - first match
block in log all
pass out
#TEMP
pass in proto udp from <srv_network> to <clan_network>
block in log quick from urpf-failed
pass in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# Allow ssh, www and dhcp to self
pass in proto {tcp,udp} from any to any port 67:68 # update this line..
pass in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 }
pass in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 }
pass in proto tcp from any to <ext_addr> port 80
# Traffic from internal networks
pass in on $wlan_if from <wlan_network> to any
pass in on $wlan_if from <ip6_multic> to any
block in log on $wlan_if proto tcp from <wlan_network> to any port 25
pass in on $clan_if from <clan_network> to any
pass in on $clan_if from <ip6_multic> to any
pass in on $bmx_if from <bmx_network> to any
pass in on $bmx_if from <ip6_multic> to any
block in log on $bmx_if proto tcp from <bmx_network> to any port 25
pass in on $srv_if from <srv_network> to ! <int_network>
pass in on $srv_if from <srv_network> to self
pass in on $srv_if from <ip6_multic> to ! <int_network>
# NAT
match out on $ext_if inet from <int_network> to any nat-to $ext_if
# Traffic from external networks
# Allow ping to any
pass in inet proto icmp from any to any icmp-type echoreq
pass in inet6 proto icmp6 from any to any icmp6-type echoreq
# SRV net
#pass in on $ext_if inet proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell
#pass in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443}
# 3dprint01 (mchro)
pass in on $ext_if inet proto tcp from any to $extv4 port 2022 rdr-to $3dprint01 port 22
pass in on $ext_if inet proto tcp from any to $extv4 port 2059 rdr-to $3dprint01 port 5900
pass in on $ext6_if inet6 proto tcp from any to $3dprint016 port {22, 5900}
# sw1 sw2 (Georg)
pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161
pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161
Permalink infrastruktur/it-services/netvaerk/firewall.1410981877.txt.gz · Last modified: 2014/09/17 21:24 by Georg Sluyterman
oeffentlich
