User Tools

Site Tools

Trace:
infrastruktur:it-services:netvaerk:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
infrastruktur:it-services:netvaerk:firewall [2013/03/19 23:03] Georg Sluytermaninfrastruktur:it-services:netvaerk:firewall [2014/09/17 21:24] Georg Sluyterman
Line 1: Line 1:
 +===== antonius.hal9k.dk =====
 +  * Services: Firewall / packet filter
 +  * Jern: Virtuel på halvm1
 +  * OS: OpenBSD
 +  * Ansvarlig/kontaktperson: [[members:sman]], [[members:jbr]]
  
 +** Overordnede bemærkninger **
 +
 +//Denne side er begrænset til læsning for almindelige brugere.//
 +
 +Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :).
 +
 +Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet.
 +
 +**Konfigurationsfiler**
 +
 +/etc/rc.local (add):
 +<code>
 +if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then
 +        echo -n ' aiccu'
 +        /usr/local/sbin/aiccu start
 +fi
 +</code>
 +
 +install aiccu (pkg_add aiccu)
 +
 +net-snmpd
 +<code>
 +pkg_add net-snmp
 +</code>
 +
 +Enable in rc.conf
 +
 +Conf in /etc/snmp/snmpd.conf
 +
 +
 +/etc/sysctl.conf
 +<code>
 +net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
 +net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
 +</code>
 +
 +/etc/hostname.em0 
 +<code>
 +description 'outside'
 +dhcp
 +</code>
 +
 +/etc/hostname.em1
 +<code>
 +description 'Wireless network'
 +inet 10.42.2.1 255.255.255.0
 +inet6 2001:16d8:dd56:2::1 64
 +</code>
 +
 +/etc/hostname.em2
 +<code>
 +description 'Cabled network'
 +inet 10.42.3.1 255.255.255.0
 +inet6 2001:16d8:dd56:3::1 64
 +</code>
 +
 +/etc/hostname.em3
 +<code>
 +description 'Server network'
 +inet 10.42.4.1 255.255.255.0
 +inet6 2001:16d8:dd56:4::1 64
 +</code>
 +
 +/etc/hostname.em4
 +<code>
 +description 'BMX network'
 +inet 10.42.5.1 255.255.255.0
 +inet6 2001:16d8:dd56:5::1 64
 +</code>
 +
 +For /etc/ssh/sshd_config ret:
 +<code>
 +PermitRootLogin without-password
 +</code>
 +
 +/etc/rtadvd.conf
 +<code>
 +em1:\
 +        :addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +
 +em2:\
 +        :addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +em4:\
 +        :addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +</code>
 +
 +/etc/rc.conf.local
 +<code>
 +ntpd_flags=             # enabled during install
 +dhcpd_flags="em1 em2 em4"
 +rtadvd_flags="em1 em2 em4"
 +ftpproxy_flags=""
 +
 +</code>
 +
 +/etc/aiccu.conf
 +<code>
 +username GSW2-SIXXS
 +password s3cret
 +ipv6_interface gif0
 +tunnel_id T28389
 +verbose false
 +daemonize true
 +automatic true
 +requiretls false
 +</code>
 +
 +/etc/dhcpd.conf
 +<code>
 +# dhcpd.conf
 +#
 +
 +# option definitions common to all supported networks...
 +option domain-name "hal9k.dk";
 +option domain-name-servers 89.233.43.71, 89.104.194.142;
 +option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73;
 +option time-offset 1;
 +default-lease-time 3600;
 +max-lease-time 7200;
 +#  filename "pxelinux.0";
 +#  next-server 10.42.4.42;
 +
 +# If this DHCP server is the official DHCP server for the local
 +# network, the authoritative directive should be uncommented.
 +authoritative;
 +
 +##ddns-update-style none;
 +
 +# Use this to send dhcp log messages to a different log file (you also
 +# have to hack syslog.conf to complete the redirection).
 +##log-facility local7;
 +
 +#Wireless network
 +subnet 10.42.2.0 netmask 255.255.255.0 {
 +  range 10.42.2.100 10.42.2.254;
 +  option routers 10.42.2.1;
 +}
 +
 +#host example.hal9k.dk {
 +#   hardware ethernet 00:00:f3:00:00:33;
 +#   fixed-address 10.42.2.10;
 +#}
 +
 +#Cabled network
 +subnet 10.42.3.0 netmask 255.255.255.0 {
 +  range 10.42.3.100 10.42.3.254;
 +  option routers 10.42.3.1;
 +
 +  #next-server 10.42.4.9;
 +  #    get-lease-hostnames true;
 +  option subnet-mask 255.255.255.0;
 +  option root-path "/opt/ltsp/i386";
 +  #if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
 +  #   filename "/ltsp/i386/pxelinux.0";
 +  #} else {
 +  #    filename "/ltsp/i386/nbi.img";
 +  #}
 +
 +  host printer1.hal9k.dk {
 +    hardware ethernet 00:00:f0:a9:c7:0f;
 +    fixed-address 10.42.3.12;
 +  }
 +  host halcam1.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:c5;
 +    fixed-address 10.42.3.20;
 +  }
 +  host halcam2.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:be;
 +    fixed-address 10.42.3.21;
 +  }
 +  host halcam3.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:e6:60;
 +    fixed-address 10.42.3.22;
 +  }
 +  host halcam4.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:e6:3c;
 +    fixed-address 10.42.3.23;
 +  }
 +  host halcam5.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:cc;
 +    fixed-address 10.42.3.24;
 +  }
 +  host halcam6.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:bd;
 +    fixed-address 10.42.3.25;
 +  }
 +
 +
 +}
 +
 +#host example2.hal9k.dk {
 +#   hardware ethernet 00:00:f3:00:00:33;
 +#   fixed-address 10.42.3.10;
 +#}
 +
 +#BMX network
 +subnet 10.42.5.0 netmask 255.255.255.0 {
 +  range 10.42.5.100 10.42.5.254;
 +  option routers 10.42.5.1;
 +}
 +</code>
 +
 +/etc/pf.conf
 +<code>                                                                                     
 +# Rules for HAL9k. Last edited by sman 2013-08-15
 +
 +### Macros ###
 +ext_if  = "em0"
 +ext6_if = "tun0"
 +wlan_if = "em1"
 +clan_if = "em2"
 +srv_if  = "em3"
 +bmx_if  = "em4"
 +extv4   = "95.166.117.167"
 +
 +# SRV hosts
 +3dprint01  = "10.42.4.11"
 +3dprint016 = "2001:16d8:dd56:4::11"
 +
 +### Tables ###
 +table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 }
 +table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 }
 +table <srv_network>  const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 }
 +table <bmx_network>  const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 }
 +table <int_network>  const { 10.0.0.0/8, 2001:16d8:dd6e::/48 }
 +table <ip6_multic>   const { fe80::/10, ff00::/8 }
 +table <ext_addr>     const { 95.166.117.167, 2001:16d8:dd00:a1::2 }
 +table <switches>     const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 }
 +table <gip>          const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 } 
 +
 +
 +### Options ###
 +set skip on lo
 +set limit states 100000
 +# Make AFS happy (call-backs)
 +set timeout udp.first    600
 +set timeout udp.single   600
 +set timeout udp.multiple 600
 +
 +### Traffic Normalization ###
 +match in all scrub (no-df)
 +
 +### Queueing ###
 +
 +### Translation ###
 +anchor "ftp-proxy/*"
 +
 +### Packet filtering ###
 +# Deny everything - first match
 +block in log all
 +pass out
 +#TEMP
 +pass in proto udp from <srv_network> to <clan_network>
 +
 +block in log quick from urpf-failed
 +pass  in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
 +
 +# Allow ssh, www and dhcp to self
 +pass  in proto {tcp,udp} from any to any port 67:68 # update this line..
 +pass  in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 }
 +pass  in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 }
 +pass  in proto tcp from any to <ext_addr> port 80
 +
 +# Traffic from internal networks
 +pass  in on $wlan_if from <wlan_network> to any
 +pass  in on $wlan_if from <ip6_multic> to any
 +block in log on $wlan_if proto tcp from <wlan_network> to any port 25
 +pass  in on $clan_if from <clan_network> to any
 +pass  in on $clan_if from <ip6_multic> to any
 +pass  in on $bmx_if  from <bmx_network> to any
 +pass  in on $bmx_if  from <ip6_multic> to any
 +block in log on $bmx_if  proto tcp from <bmx_network> to any port 25
 +pass  in on $srv_if  from <srv_network>  to ! <int_network>
 +pass  in on $srv_if  from <srv_network> to self
 +pass  in on $srv_if  from <ip6_multic>  to ! <int_network>
 +
 +# NAT
 +match out on $ext_if inet from <int_network> to any nat-to $ext_if
 +
 +# Traffic from external networks
 +
 +# Allow ping to any
 +pass  in inet  proto icmp  from any to any icmp-type echoreq
 +pass  in inet6 proto icmp6 from any to any icmp6-type echoreq
 +
 +# SRV net
 +#pass  in on $ext_if  inet  proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell
 +#pass  in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443}
 +
 +# 3dprint01 (mchro)
 +pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2022 rdr-to $3dprint01 port 22
 +pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2059 rdr-to $3dprint01 port 5900
 +pass  in on $ext6_if inet6 proto tcp from any   to $3dprint016 port {22, 5900}
 +
 +# sw1 sw2 (Georg)
 +pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161
 +pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161
 +</code>
Permalink infrastruktur/it-services/netvaerk/firewall.txt · Last modified: 2022/01/27 16:36 by Torsten Martinsen

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
oeffentlich