This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
infrastruktur:it-services:netvaerk:firewall [2012/03/30 13:40] – Georg Sluyterman | infrastruktur:it-services:netvaerk:firewall [2014/09/17 21:24] – Georg Sluyterman | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== antonius.hal9k.dk ===== | ||
+ | * Services: Firewall / packet filter | ||
+ | * Jern: Virtuel på halvm1 | ||
+ | * OS: OpenBSD | ||
+ | * Ansvarlig/ | ||
+ | ** Overordnede bemærkninger ** | ||
+ | |||
+ | //Denne side er begrænset til læsning for almindelige brugere.// | ||
+ | |||
+ | Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk / | ||
+ | |||
+ | Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet. | ||
+ | |||
+ | **Konfigurationsfiler** | ||
+ | |||
+ | / | ||
+ | < | ||
+ | if [ -x / | ||
+ | echo -n ' aiccu' | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | install aiccu (pkg_add aiccu) | ||
+ | |||
+ | net-snmpd | ||
+ | < | ||
+ | pkg_add net-snmp | ||
+ | </ | ||
+ | |||
+ | Enable in rc.conf | ||
+ | |||
+ | Conf in / | ||
+ | |||
+ | |||
+ | / | ||
+ | < | ||
+ | net.inet.ip.forwarding=1 | ||
+ | net.inet6.ip6.forwarding=1 | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | description ' | ||
+ | dhcp | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | description ' | ||
+ | inet 10.42.2.1 255.255.255.0 | ||
+ | inet6 2001: | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | description ' | ||
+ | inet 10.42.3.1 255.255.255.0 | ||
+ | inet6 2001: | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | description ' | ||
+ | inet 10.42.4.1 255.255.255.0 | ||
+ | inet6 2001: | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | description 'BMX network' | ||
+ | inet 10.42.5.1 255.255.255.0 | ||
+ | inet6 2001: | ||
+ | </ | ||
+ | |||
+ | For / | ||
+ | < | ||
+ | PermitRootLogin without-password | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | em1:\ | ||
+ | : | ||
+ | |||
+ | em2:\ | ||
+ | : | ||
+ | em4:\ | ||
+ | : | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | ntpd_flags= | ||
+ | dhcpd_flags=" | ||
+ | rtadvd_flags=" | ||
+ | ftpproxy_flags="" | ||
+ | |||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | username GSW2-SIXXS | ||
+ | password s3cret | ||
+ | ipv6_interface gif0 | ||
+ | tunnel_id T28389 | ||
+ | verbose false | ||
+ | daemonize true | ||
+ | automatic true | ||
+ | requiretls false | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # dhcpd.conf | ||
+ | # | ||
+ | |||
+ | # option definitions common to all supported networks... | ||
+ | option domain-name " | ||
+ | option domain-name-servers 89.233.43.71, | ||
+ | option ntp-servers 130.225.51.74, | ||
+ | option time-offset 1; | ||
+ | default-lease-time 3600; | ||
+ | max-lease-time 7200; | ||
+ | # filename " | ||
+ | # next-server 10.42.4.42; | ||
+ | |||
+ | # If this DHCP server is the official DHCP server for the local | ||
+ | # network, the authoritative directive should be uncommented. | ||
+ | authoritative; | ||
+ | |||
+ | ## | ||
+ | |||
+ | # Use this to send dhcp log messages to a different log file (you also | ||
+ | # have to hack syslog.conf to complete the redirection). | ||
+ | ## | ||
+ | |||
+ | #Wireless network | ||
+ | subnet 10.42.2.0 netmask 255.255.255.0 { | ||
+ | range 10.42.2.100 10.42.2.254; | ||
+ | option routers 10.42.2.1; | ||
+ | } | ||
+ | |||
+ | #host example.hal9k.dk { | ||
+ | # | ||
+ | # | ||
+ | #} | ||
+ | |||
+ | #Cabled network | ||
+ | subnet 10.42.3.0 netmask 255.255.255.0 { | ||
+ | range 10.42.3.100 10.42.3.254; | ||
+ | option routers 10.42.3.1; | ||
+ | |||
+ | # | ||
+ | # get-lease-hostnames true; | ||
+ | option subnet-mask 255.255.255.0; | ||
+ | option root-path "/ | ||
+ | #if substring( option vendor-class-identifier, | ||
+ | # | ||
+ | #} else { | ||
+ | # filename "/ | ||
+ | #} | ||
+ | |||
+ | host printer1.hal9k.dk { | ||
+ | hardware ethernet 00: | ||
+ | fixed-address 10.42.3.12; | ||
+ | } | ||
+ | host halcam1.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.20; | ||
+ | } | ||
+ | host halcam2.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.21; | ||
+ | } | ||
+ | host halcam3.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.22; | ||
+ | } | ||
+ | host halcam4.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.23; | ||
+ | } | ||
+ | host halcam5.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.24; | ||
+ | } | ||
+ | host halcam6.hal9k.dk { | ||
+ | hardware ethernet 80: | ||
+ | fixed-address 10.42.3.25; | ||
+ | } | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | #host example2.hal9k.dk { | ||
+ | # | ||
+ | # | ||
+ | #} | ||
+ | |||
+ | #BMX network | ||
+ | subnet 10.42.5.0 netmask 255.255.255.0 { | ||
+ | range 10.42.5.100 10.42.5.254; | ||
+ | option routers 10.42.5.1; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # Rules for HAL9k. Last edited by sman 2013-08-15 | ||
+ | |||
+ | ### Macros ### | ||
+ | ext_if | ||
+ | ext6_if = " | ||
+ | wlan_if = " | ||
+ | clan_if = " | ||
+ | srv_if | ||
+ | bmx_if | ||
+ | extv4 = " | ||
+ | |||
+ | # SRV hosts | ||
+ | 3dprint01 | ||
+ | 3dprint016 = " | ||
+ | |||
+ | ### Tables ### | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | table < | ||
+ | |||
+ | |||
+ | ### Options ### | ||
+ | set skip on lo | ||
+ | set limit states 100000 | ||
+ | # Make AFS happy (call-backs) | ||
+ | set timeout udp.first | ||
+ | set timeout udp.single | ||
+ | set timeout udp.multiple 600 | ||
+ | |||
+ | ### Traffic Normalization ### | ||
+ | match in all scrub (no-df) | ||
+ | |||
+ | ### Queueing ### | ||
+ | |||
+ | ### Translation ### | ||
+ | anchor " | ||
+ | |||
+ | ### Packet filtering ### | ||
+ | # Deny everything - first match | ||
+ | block in log all | ||
+ | pass out | ||
+ | #TEMP | ||
+ | pass in proto udp from < | ||
+ | |||
+ | block in log quick from urpf-failed | ||
+ | pass in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 | ||
+ | |||
+ | # Allow ssh, www and dhcp to self | ||
+ | pass in proto {tcp,udp} from any to any port 67:68 # update this line.. | ||
+ | pass in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 } | ||
+ | pass in on $ext6_if proto tcp from any to < | ||
+ | pass in proto tcp from any to < | ||
+ | |||
+ | # Traffic from internal networks | ||
+ | pass in on $wlan_if from < | ||
+ | pass in on $wlan_if from < | ||
+ | block in log on $wlan_if proto tcp from < | ||
+ | pass in on $clan_if from < | ||
+ | pass in on $clan_if from < | ||
+ | pass in on $bmx_if | ||
+ | pass in on $bmx_if | ||
+ | block in log on $bmx_if | ||
+ | pass in on $srv_if | ||
+ | pass in on $srv_if | ||
+ | pass in on $srv_if | ||
+ | |||
+ | # NAT | ||
+ | match out on $ext_if inet from < | ||
+ | |||
+ | # Traffic from external networks | ||
+ | |||
+ | # Allow ping to any | ||
+ | pass in inet proto icmp from any to any icmp-type echoreq | ||
+ | pass in inet6 proto icmp6 from any to any icmp6-type echoreq | ||
+ | |||
+ | # SRV net | ||
+ | #pass in on $ext_if | ||
+ | #pass in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443} | ||
+ | |||
+ | # 3dprint01 (mchro) | ||
+ | pass in on $ext_if | ||
+ | pass in on $ext_if | ||
+ | pass in on $ext6_if inet6 proto tcp from any to $3dprint016 port {22, 5900} | ||
+ | |||
+ | # sw1 sw2 (Georg) | ||
+ | pass in on $ext6_if proto { tcp, udp } from <gip> to < | ||
+ | pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161 | ||
+ | </ |