User Tools

Site Tools

Trace:
infrastruktur:it-services:netvaerk:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
infrastruktur:it-services:netvaerk:firewall [2014/07/03 22:14] Georg Sluytermaninfrastruktur:it-services:netvaerk:firewall [2014/09/17 21:24] Georg Sluyterman
Line 1: Line 1:
 +===== antonius.hal9k.dk =====
 +  * Services: Firewall / packet filter
 +  * Jern: Virtuel på halvm1
 +  * OS: OpenBSD
 +  * Ansvarlig/kontaktperson: [[members:sman]], [[members:jbr]]
  
 +** Overordnede bemærkninger **
 +
 +//Denne side er begrænset til læsning for almindelige brugere.//
 +
 +Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :).
 +
 +Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet.
 +
 +**Konfigurationsfiler**
 +
 +/etc/rc.local (add):
 +<code>
 +if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then
 +        echo -n ' aiccu'
 +        /usr/local/sbin/aiccu start
 +fi
 +</code>
 +
 +install aiccu (pkg_add aiccu)
 +
 +net-snmpd
 +<code>
 +pkg_add net-snmp
 +</code>
 +
 +Enable in rc.conf
 +
 +Conf in /etc/snmp/snmpd.conf
 +
 +
 +/etc/sysctl.conf
 +<code>
 +net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
 +net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
 +</code>
 +
 +/etc/hostname.em0 
 +<code>
 +description 'outside'
 +dhcp
 +</code>
 +
 +/etc/hostname.em1
 +<code>
 +description 'Wireless network'
 +inet 10.42.2.1 255.255.255.0
 +inet6 2001:16d8:dd56:2::1 64
 +</code>
 +
 +/etc/hostname.em2
 +<code>
 +description 'Cabled network'
 +inet 10.42.3.1 255.255.255.0
 +inet6 2001:16d8:dd56:3::1 64
 +</code>
 +
 +/etc/hostname.em3
 +<code>
 +description 'Server network'
 +inet 10.42.4.1 255.255.255.0
 +inet6 2001:16d8:dd56:4::1 64
 +</code>
 +
 +/etc/hostname.em4
 +<code>
 +description 'BMX network'
 +inet 10.42.5.1 255.255.255.0
 +inet6 2001:16d8:dd56:5::1 64
 +</code>
 +
 +For /etc/ssh/sshd_config ret:
 +<code>
 +PermitRootLogin without-password
 +</code>
 +
 +/etc/rtadvd.conf
 +<code>
 +em1:\
 +        :addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +
 +em2:\
 +        :addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +em4:\
 +        :addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
 +</code>
 +
 +/etc/rc.conf.local
 +<code>
 +ntpd_flags=             # enabled during install
 +dhcpd_flags="em1 em2 em4"
 +rtadvd_flags="em1 em2 em4"
 +ftpproxy_flags=""
 +
 +</code>
 +
 +/etc/aiccu.conf
 +<code>
 +username GSW2-SIXXS
 +password s3cret
 +ipv6_interface gif0
 +tunnel_id T28389
 +verbose false
 +daemonize true
 +automatic true
 +requiretls false
 +</code>
 +
 +/etc/dhcpd.conf
 +<code>
 +# dhcpd.conf
 +#
 +
 +# option definitions common to all supported networks...
 +option domain-name "hal9k.dk";
 +option domain-name-servers 89.233.43.71, 89.104.194.142;
 +option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73;
 +option time-offset 1;
 +default-lease-time 3600;
 +max-lease-time 7200;
 +#  filename "pxelinux.0";
 +#  next-server 10.42.4.42;
 +
 +# If this DHCP server is the official DHCP server for the local
 +# network, the authoritative directive should be uncommented.
 +authoritative;
 +
 +##ddns-update-style none;
 +
 +# Use this to send dhcp log messages to a different log file (you also
 +# have to hack syslog.conf to complete the redirection).
 +##log-facility local7;
 +
 +#Wireless network
 +subnet 10.42.2.0 netmask 255.255.255.0 {
 +  range 10.42.2.100 10.42.2.254;
 +  option routers 10.42.2.1;
 +}
 +
 +#host example.hal9k.dk {
 +#   hardware ethernet 00:00:f3:00:00:33;
 +#   fixed-address 10.42.2.10;
 +#}
 +
 +#Cabled network
 +subnet 10.42.3.0 netmask 255.255.255.0 {
 +  range 10.42.3.100 10.42.3.254;
 +  option routers 10.42.3.1;
 +
 +  #next-server 10.42.4.9;
 +  #    get-lease-hostnames true;
 +  option subnet-mask 255.255.255.0;
 +  option root-path "/opt/ltsp/i386";
 +  #if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
 +  #   filename "/ltsp/i386/pxelinux.0";
 +  #} else {
 +  #    filename "/ltsp/i386/nbi.img";
 +  #}
 +
 +  host printer1.hal9k.dk {
 +    hardware ethernet 00:00:f0:a9:c7:0f;
 +    fixed-address 10.42.3.12;
 +  }
 +  host halcam1.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:c5;
 +    fixed-address 10.42.3.20;
 +  }
 +  host halcam2.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:be;
 +    fixed-address 10.42.3.21;
 +  }
 +  host halcam3.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:e6:60;
 +    fixed-address 10.42.3.22;
 +  }
 +  host halcam4.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:e6:3c;
 +    fixed-address 10.42.3.23;
 +  }
 +  host halcam5.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:cc;
 +    fixed-address 10.42.3.24;
 +  }
 +  host halcam6.hal9k.dk {
 +    hardware ethernet 80:1f:02:8b:ef:bd;
 +    fixed-address 10.42.3.25;
 +  }
 +
 +
 +}
 +
 +#host example2.hal9k.dk {
 +#   hardware ethernet 00:00:f3:00:00:33;
 +#   fixed-address 10.42.3.10;
 +#}
 +
 +#BMX network
 +subnet 10.42.5.0 netmask 255.255.255.0 {
 +  range 10.42.5.100 10.42.5.254;
 +  option routers 10.42.5.1;
 +}
 +</code>
 +
 +/etc/pf.conf
 +<code>                                                                                     
 +# Rules for HAL9k. Last edited by sman 2013-08-15
 +
 +### Macros ###
 +ext_if  = "em0"
 +ext6_if = "tun0"
 +wlan_if = "em1"
 +clan_if = "em2"
 +srv_if  = "em3"
 +bmx_if  = "em4"
 +extv4   = "95.166.117.167"
 +
 +# SRV hosts
 +3dprint01  = "10.42.4.11"
 +3dprint016 = "2001:16d8:dd56:4::11"
 +
 +### Tables ###
 +table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 }
 +table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 }
 +table <srv_network>  const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 }
 +table <bmx_network>  const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 }
 +table <int_network>  const { 10.0.0.0/8, 2001:16d8:dd6e::/48 }
 +table <ip6_multic>   const { fe80::/10, ff00::/8 }
 +table <ext_addr>     const { 95.166.117.167, 2001:16d8:dd00:a1::2 }
 +table <switches>     const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 }
 +table <gip>          const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 } 
 +
 +
 +### Options ###
 +set skip on lo
 +set limit states 100000
 +# Make AFS happy (call-backs)
 +set timeout udp.first    600
 +set timeout udp.single   600
 +set timeout udp.multiple 600
 +
 +### Traffic Normalization ###
 +match in all scrub (no-df)
 +
 +### Queueing ###
 +
 +### Translation ###
 +anchor "ftp-proxy/*"
 +
 +### Packet filtering ###
 +# Deny everything - first match
 +block in log all
 +pass out
 +#TEMP
 +pass in proto udp from <srv_network> to <clan_network>
 +
 +block in log quick from urpf-failed
 +pass  in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
 +
 +# Allow ssh, www and dhcp to self
 +pass  in proto {tcp,udp} from any to any port 67:68 # update this line..
 +pass  in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 }
 +pass  in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 }
 +pass  in proto tcp from any to <ext_addr> port 80
 +
 +# Traffic from internal networks
 +pass  in on $wlan_if from <wlan_network> to any
 +pass  in on $wlan_if from <ip6_multic> to any
 +block in log on $wlan_if proto tcp from <wlan_network> to any port 25
 +pass  in on $clan_if from <clan_network> to any
 +pass  in on $clan_if from <ip6_multic> to any
 +pass  in on $bmx_if  from <bmx_network> to any
 +pass  in on $bmx_if  from <ip6_multic> to any
 +block in log on $bmx_if  proto tcp from <bmx_network> to any port 25
 +pass  in on $srv_if  from <srv_network>  to ! <int_network>
 +pass  in on $srv_if  from <srv_network> to self
 +pass  in on $srv_if  from <ip6_multic>  to ! <int_network>
 +
 +# NAT
 +match out on $ext_if inet from <int_network> to any nat-to $ext_if
 +
 +# Traffic from external networks
 +
 +# Allow ping to any
 +pass  in inet  proto icmp  from any to any icmp-type echoreq
 +pass  in inet6 proto icmp6 from any to any icmp6-type echoreq
 +
 +# SRV net
 +#pass  in on $ext_if  inet  proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell
 +#pass  in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443}
 +
 +# 3dprint01 (mchro)
 +pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2022 rdr-to $3dprint01 port 22
 +pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2059 rdr-to $3dprint01 port 5900
 +pass  in on $ext6_if inet6 proto tcp from any   to $3dprint016 port {22, 5900}
 +
 +# sw1 sw2 (Georg)
 +pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161
 +pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161
 +</code>
Permalink infrastruktur/it-services/netvaerk/firewall.txt · Last modified: 2022/01/27 16:36 by Torsten Martinsen

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
oeffentlich