tutorial simple buat gateway guna freebsd pf packet filter openbsd, sample untuk tesis kawan aku yg berada di KUKUM.dia guna Openbsd wooo.. secure gila… selamat mencuba. nnt aku add untuk snort inline. ids+ips..
modem+router ip 192.168.1.1 dan FreeBSD selaku gateway number 2 NIC1: 192.168.1.5 NIC 2: 192.168.0.1
1. mula2 tambah ayat ni dalam kernel config:
device if_bridge #Bridge interface
device pf #PF OpenBSD packet-filter firewall
device pflog #logging support interface for PF
device pfsync #synchronization interface for PF
device carp #Common Address Redundancy Protocol
#device ppp #Point-to-point protocol
#options PPP_BSDCOMP #PPP BSD-compress support
#options PPP_DEFLATE #PPP zlib/deflate/gzip support
#options PPP_FILTER #enable bpf filtering (needs bpf)
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
lepas recompile isi plak yg ni dalam sysctl.conf
kern.polling.enable=1
kern.polling.user_frac=50
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.ip.fastforwarding=1
net.inet.ip.forwarding=1
kern.ipc.somaxconn=32768
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
aku punya rc.conf
defaultrouter=”192.168.1.1″
hostname=”cikon.com”
ifconfig_rl0=”inet 192.168.1.5 netmask 255.255.255.0″
ifconfig_rl1=”inet 192.168.0.1 netmask 255.255.255.0″
keymap=”us.iso”
linux_enable=”YES”
sshd_enable=”YES”
usbd_enable=”YES”
pf_enable=”YES” # Enable PF (load module if required)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_flags=”-f” # additional flags for pfctl startup
pflog_enable=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_flags=”" # additional flags for pflogd startup
gateway_enable=”YES” # Enable as LAN gateway
dan ni sedikit simple pf.conf dari example aku cilop… huhuhu
rule ni accept 2 port inbound dan allow semua outbound
pf.conf
#simple pf by syiron
# Macros
ext_if=”rl0″
int_if=”vr0″
internal_net=”192.168.1.0/24″
external_addr=”10.172.1.0/16″
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”
set loginterface $ext_if
#scrub adubdub
scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)
#ftp
#rdr on $ext_if proto tcp from any to $external_addr/32 port 21 -> 192.168.0.2 port 21
#transparant proxy, block ie
#rdr on $int_if inet proto tcp from any to ! 192.168.0.1 port 80 -> 127.0.0.1 port 3128
#iax(2)
#rdr on $ext_if proto udp from any to $external_addr/32 port 4569 -> 192.168.0.5 port 4569
# Filtering: the implicit first two rules are
pass in all
pass out all
pass quick on lo0 all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
#nmap
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
#iax2
pass in on $ext_if proto udp from any to any port 4569 keep state
#http
pass in on $ext_if proto tcp from any to any port 80 keep state
#ftp
pass in on $ext_if proto tcp from any to any port 21 keep state
#ssh
pass in on $ext_if proto tcp from any to any port 22 keep state
#icmp, ping etc
pass in on $ext_if proto icmp all
anchor snort2pf
#allow outbound
#anything really
pass out on $ext_if proto { tcp, udp, icmp } all keep state
teng!!! siap….
March 29, 2007 at 5:03 am |
wow! ..sempoi lah bro..salute ^:)^
June 28, 2007 at 2:56 am |
masyaAllah syiron.. hebat BSD.. alhamdulillah boleh ajar aku nnt :)
anyway BSD memang rox!!
June 28, 2007 at 2:58 am |
oit nuar.. nuar mana nie.. tiba2 jengoi kat sini.. camna bleh tau blog aku?
July 28, 2008 at 2:46 pm |
j’ai besoin de votre aide merci de m’aider sur ce thème
I need your help thank you to help me on this subject
what your language? please ! thank you
Mahmoud
Tunisia
July 28, 2008 at 3:34 pm |
hi Mahmoud. i use Malay lang. what i can help you?
July 28, 2008 at 10:01 pm |
Firstable, sorry for my English, and thank you for your job.
I am new in FreeBSD7 and I want to do exactly what do you descripte in this tutorial.
This my configuration modem+router ip 192.168.1.1
in my FREEBSD The two NICs are fxp0 -> (switch router ADSL ) and xl0 -> (Lan).
Fxp0 ip : 192.168.1.65
xl0 ip :192.168.10.65
My Lan client PC (XP) ip : 192.168.10.191 Masque 255.255.255.0 gateway 192.168.10.65
I have followed the information provided on your tutorial but This setup not works i can’t even ping in my client PC to 192.168.1.65!
July 28, 2008 at 10:05 pm |
this my pf.conf and rc.conf
#simple pf by syiron
# Macros
ext_if=”fxp0″
int_if=”xl0″
internal_net=”192.168.10.0/16″
external_addr=”192.168.1.65″
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”
set loginterface $ext_if
#scrub adubdub
scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)
#ftp
rdr on $ext_if proto tcp from any to $external_addr/32 port 21 -> 192.168.0.2 port 21
#transparant proxy, block ie
#rdr on $int_if inet proto tcp from any to ! 192.168.0.1 port 80 -> 127.0.0.1 port 3128
#iax(2)
#rdr on $ext_if proto udp from any to $external_addr/32 port 4569 -> 192.168.0.5 port 4569
# Filtering: the implicit first two rules are
pass in all
pass out all
pass quick on lo0 all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
#nmap
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
#iax2
pass in on $ext_if proto udp from any to any port 4569 keep state
#http
pass in on $ext_if proto tcp from any to any port 80 keep state
#ftp
pass in on $ext_if proto tcp from any to any port 21 keep state
#ssh
pass in on $ext_if proto tcp from any to any port 22 keep state
#icmp, ping etc
pass in on $ext_if proto icmp all
anchor snort2pf
#allow outbound
#anything really
pass out on $ext_if proto { tcp, udp, icmp } all keep state
————————————-rc.conf————————————————————————
# — sysinstall generated deltas — # Fri Jun 20 11:58:57 2008
# Created: Fri Jun 20 11:58:57 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
moused_enable=”YES”
hostname=”mybsd.my.workgroup”
defaultrouter=192.168.1.1
network_intefaces=”fxp0 xl0″
#pont
#cloned_interfaces=”bridge0″
#ifconfig_bridge0=”addm fxp0 addm xl0 up”
ifconfig_fxp0=”inet 192.168.1.65 netmask 255.255.255.0″
ifconfig_xl0=”inet 192.168.10.65 netmask 255.255.255.0″
#ifconfig bridge inet 192.168.1.66
# linux_enable=”YES”
sshd_enable=”YES”
usbd_enable=”YES”
gateway_enable=”YES” # Enable as LAN gateway
pf_enable=”YES” # Enable PF (load module if required)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_flags=”" # additional flags for pfctl startup
pflog_enable=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_flags=”" # additional flags for pflogd startup
#ifconfig_fxp0=”UP”
#ifconfig_xl0=”UP”
#fireWall
#firewall_enable=”YES”
#firewall_script=”/etc/ipfw.rules”
#firewall_type=”open”
#NAT
#gateway_enable=”YES”
#ipnat_enanle=”YES”
#ipnat_script=”/etc/ipnat.rules”
#natd_enable=”YES”
#natd_interface=”fxp0″
#natd_flags=”-f /etc/natd.conf”
# Apache 2.2
apache22_enable=”YES”
apache22_flags=”-DSSL”
#mysql 5
mysql_enable=”YES”
# — sysinstall generated deltas — # Wed Jul 16 23:38:54 2008
#keymap=”us.unix”
# — sysinstall generated deltas — # Wed Jul 16 23:39:20 2008
keymap=”it.iso”
July 29, 2008 at 2:11 pm |
hi syiron Any comments? :(
July 29, 2008 at 5:11 pm |
can u understand what i try to give you in my front post. may be it`s will help you to. u must understand pf packetfilter. try to play with it. later i will post an example.
July 29, 2008 at 6:05 pm |
hi
the first thing I did not understand why you chose the “10.172.1.0/16″ for external_addr? and not 192.168.1.1/16 :\
November 1, 2008 at 9:05 am |
assalamualaikum!! his syiron syabas pandai hang buat blog ni boleh juga saya belajar bsd………tapi awat tak continue lagi?