User Tools

This is an old revision of the document!

antonius.hal9k.dk

Overordnede bemærkninger

Denne side er begrænset til læsning for almindelige brugere.

Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :).

Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet.

Konfigurationsfiler

/etc/rc.local (add): 

if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then
        echo -n ' aiccu'
        /usr/local/sbin/aiccu start
fi

install aiccu (pkg_add aiccu)

net-snmpd 

pkg_add net-snmp

Enable in rc.conf

Conf in /etc/snmp/snmpd.conf

/etc/sysctl.conf 

net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets

/etc/hostname.em0 

description 'outside'
dhcp

/etc/hostname.em1 

description 'Wireless network'
inet 10.42.2.1 255.255.255.0
inet6 2001:16d8:dd56:2::1 64

/etc/hostname.em2 

description 'Cabled network'
inet 10.42.3.1 255.255.255.0
inet6 2001:16d8:dd56:3::1 64

/etc/hostname.em3 

description 'Server network'
inet 10.42.4.1 255.255.255.0
inet6 2001:16d8:dd56:4::1 64

/etc/hostname.em4 

description 'BMX network'
inet 10.42.5.1 255.255.255.0
inet6 2001:16d8:dd56:5::1 64

For /etc/ssh/sshd_config ret: 

PermitRootLogin without-password

/etc/rtadvd.conf 

em1:\
        :addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:

em2:\
        :addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
em4:\
        :addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:

/etc/rc.conf.local 

ntpd_flags=             # enabled during install
dhcpd_flags="em1 em2 em4"
rtadvd_flags="em1 em2 em4"
ftpproxy_flags=""

/etc/aiccu.conf 

username GSW2-SIXXS
password s3cret
ipv6_interface gif0
tunnel_id T28389
verbose false
daemonize true
automatic true
requiretls false

/etc/dhcpd.conf 

# dhcpd.conf
#

# option definitions common to all supported networks...
option domain-name "hal9k.dk";
option domain-name-servers 89.233.43.71, 89.104.194.142;
option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73;
option time-offset 1;
default-lease-time 3600;
max-lease-time 7200;
#  filename "pxelinux.0";
#  next-server 10.42.4.42;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

##ddns-update-style none;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
##log-facility local7;

#Wireless network
subnet 10.42.2.0 netmask 255.255.255.0 {
  range 10.42.2.100 10.42.2.254;
  option routers 10.42.2.1;
}

#host example.hal9k.dk {
#   hardware ethernet 00:00:f3:00:00:33;
#   fixed-address 10.42.2.10;
#}

#Cabled network
subnet 10.42.3.0 netmask 255.255.255.0 {
  range 10.42.3.100 10.42.3.254;
  option routers 10.42.3.1;

  #next-server 10.42.4.9;
  #    get-lease-hostnames true;
  option subnet-mask 255.255.255.0;
  option root-path "/opt/ltsp/i386";
  #if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
  #   filename "/ltsp/i386/pxelinux.0";
  #} else {
  #    filename "/ltsp/i386/nbi.img";
  #}

  host printer1.hal9k.dk {
    hardware ethernet 00:00:f0:a9:c7:0f;
    fixed-address 10.42.3.12;
  }
  host halcam1.hal9k.dk {
    hardware ethernet 80:1f:02:8b:ef:c5;
    fixed-address 10.42.3.20;
  }
  host halcam2.hal9k.dk {
    hardware ethernet 80:1f:02:8b:ef:be;
    fixed-address 10.42.3.21;
  }
  host halcam3.hal9k.dk {
    hardware ethernet 80:1f:02:8b:e6:60;
    fixed-address 10.42.3.22;
  }
  host halcam4.hal9k.dk {
    hardware ethernet 80:1f:02:8b:e6:3c;
    fixed-address 10.42.3.23;
  }
  host halcam5.hal9k.dk {
    hardware ethernet 80:1f:02:8b:ef:cc;
    fixed-address 10.42.3.24;
  }
  host halcam6.hal9k.dk {
    hardware ethernet 80:1f:02:8b:ef:bd;
    fixed-address 10.42.3.25;
  }


}

#host example2.hal9k.dk {
#   hardware ethernet 00:00:f3:00:00:33;
#   fixed-address 10.42.3.10;
#}

#BMX network
subnet 10.42.5.0 netmask 255.255.255.0 {
  range 10.42.5.100 10.42.5.254;
  option routers 10.42.5.1;
}

/etc/pf.conf 

                                                                                     
# Rules for HAL9k. Last edited by sman 2013-08-15

### Macros ###
ext_if  = "em0"
ext6_if = "tun0"
wlan_if = "em1"
clan_if = "em2"
srv_if  = "em3"
bmx_if  = "em4"
extv4   = "95.166.117.167"

# SRV hosts
3dprint01  = "10.42.4.11"
3dprint016 = "2001:16d8:dd56:4::11"

### Tables ###
table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 }
table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 }
table <srv_network>  const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 }
table <bmx_network>  const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 }
table <int_network>  const { 10.0.0.0/8, 2001:16d8:dd6e::/48 }
table <ip6_multic>   const { fe80::/10, ff00::/8 }
table <ext_addr>     const { 95.166.117.167, 2001:16d8:dd00:a1::2 }
table <switches>     const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 }
table <gip>          const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 } 


### Options ###
set skip on lo
set limit states 100000
# Make AFS happy (call-backs)
set timeout udp.first    600
set timeout udp.single   600
set timeout udp.multiple 600

### Traffic Normalization ###
match in all scrub (no-df)

### Queueing ###

### Translation ###
anchor "ftp-proxy/*"

### Packet filtering ###
# Deny everything - first match
block in log all
pass out
#TEMP
pass in proto udp from <srv_network> to <clan_network>

block in log quick from urpf-failed
pass  in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021

# Allow ssh, www and dhcp to self
pass  in proto {tcp,udp} from any to any port 67:68 # update this line..
pass  in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 }
pass  in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 }
pass  in proto tcp from any to <ext_addr> port 80

# Traffic from internal networks
pass  in on $wlan_if from <wlan_network> to any
pass  in on $wlan_if from <ip6_multic> to any
block in log on $wlan_if proto tcp from <wlan_network> to any port 25
pass  in on $clan_if from <clan_network> to any
pass  in on $clan_if from <ip6_multic> to any
pass  in on $bmx_if  from <bmx_network> to any
pass  in on $bmx_if  from <ip6_multic> to any
block in log on $bmx_if  proto tcp from <bmx_network> to any port 25
pass  in on $srv_if  from <srv_network>  to ! <int_network>
pass  in on $srv_if  from <srv_network> to self
pass  in on $srv_if  from <ip6_multic>  to ! <int_network>

# NAT
match out on $ext_if inet from <int_network> to any nat-to $ext_if

# Traffic from external networks

# Allow ping to any
pass  in inet  proto icmp  from any to any icmp-type echoreq
pass  in inet6 proto icmp6 from any to any icmp6-type echoreq

# SRV net
#pass  in on $ext_if  inet  proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell
#pass  in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443}

# 3dprint01 (mchro)
pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2022 rdr-to $3dprint01 port 22
pass  in on $ext_if  inet  proto tcp from any   to $extv4 port 2059 rdr-to $3dprint01 port 5900
pass  in on $ext6_if inet6 proto tcp from any   to $3dprint016 port {22, 5900}

# sw1 sw2 (Georg)
pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161
pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information