From: Serhat Umar (serhat@secureinbox.net)
Date: Tue 13 May 2003 - 18:06:54 EEST
Merhaba,
openbsd 3.2 ve daha yukarisinda nat rule lari da pf.conf icine tasinmisti,
Sizin openbsd 3.3 olarak görünüyor ve rullari ayri ayri iki dosya ilarak
yazmissiniz burda bir yanlisiniz olmasin?
ayrica /etc/rc.conf dosyasinda pf=YES ibaresi kullanmis olmaniz gerekiyor.
Selamlar,
Serhat
----- Original Message -----
From: "Vasfi UYSAL" <vasfi@med.ege.edu.tr>
To: <bsd@linux.org.tr>
Sent: Tuesday, May 13, 2003 3:43 PM
Subject: [bsd] Obsd nat
> Merhabalar
>
> su sekilde bi makina var
>
>
> root@uniwall:~ > ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
> lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> address: 00:00:21:d0:ee:3b
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 10.10.1.250 netmask 0xffffff00 broadcast 10.10.1.255
> inet6 fe80::200:21ff:fed0:ee3b%rl0 prefixlen 64 scopeid 0x1
> rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> address: 00:02:44:07:25:01
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 155.223.206.19 netmask 0xfffffe00 broadcast 155.223.207.255
> inet6 fe80::202:44ff:fe07:2501%rl1 prefixlen 64 scopeid 0x2
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> pfsync0: flags=0<> mtu 2020
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
> sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> tun0: flags=10<POINTOPOINT> mtu 3000
> tun1: flags=10<POINTOPOINT> mtu 3000
> enc0: flags=0<> mtu 1536
> bridge0: flags=0<> mtu 1500
> bridge1: flags=0<> mtu 1500
> vlan0: flags=0<> mtu 1500
> address: 00:00:00:00:00:00
> vlan1: flags=0<> mtu 1500
> address: 00:00:00:00:00:00
> gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
> gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
> gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
> gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
> <-- you are on uniwall.unipa.com (OpenBSD 3.3 GENERIC#44) -->
> root@uniwall:~ >
>
> root@uniwall:~ > cat /etc/nat.conf
> # Apply NAT to external firewall interface for our RFC1918 network
> nat on rl1 from 10.10.1.0/24 to any -> rl1
>
> # Redirect HTTP requests to our web server
> rdr on rl1 proto tcp from any to 0.0.0.0/0 port ftp -> 10.10.1.3 port ftp
> <-- you are on uniwall.unipa.com (OpenBSD 3.3 GENERIC#44) -->
> root@uniwall:~ >
>
> etc/pf.conf
>
> EXTETH = "rl1"
> INTETH = "rl0"
>
> ### MAIN ###
>
> # Block all incoming packets on the external interface, and log them.
> block in log on $EXTETH all
>
> # Allow any incoming and outgoing packets on the internal interface.
> pass in quick on $INTETH all
> pass out quick on $INTETH all
>
> ### SPOOFING/IPOPTS ###
>
> # Prevent general spoofing of RFC1918 blocks
> block in log quick on $EXTETH from 127.0.0.0/8 to any
> block in log quick on $EXTETH from 192.168.0.0/16 to any
> block in log quick on $EXTETH from 172.16.0.0/12 to any
> #block in log quick on $EXTETH from 10.0.0.0/8 to any
>
> # Prevent general spoofing of other non-routable blocks
> block in log quick on $EXTETH from 1.0.0.0/8 to any
> block in log quick on $EXTETH from 2.0.0.0/8 to any
> block in log quick on $EXTETH from 192.0.2.0/24 to any
> block in log quick on $EXTETH from 224.0.0.0/3 to any
>
> ### ESTABLISHED/GENERAL ###
>
> # Allow incoming UDP/TCP/ICMP connections that are established,
> # the out rule adds incoming state matching
> pass out quick on $EXTETH proto tcp from any to any keep state
> pass out quick on $EXTETH proto udp from any to any keep state
> pass out quick on $EXTETH proto icmp from any to any keep state
>
> ### UDP/TCP REJECTS ###
>
> # Return tcp RST for blocked TCP connections
> block return-rst in log on $EXTETH proto tcp from any to any flags S/SA
>
> # Return ICMP net-unreachable for blocked UDP packets
> block return-icmp(filter-prohib) in log on $EXTETH proto udp all
>
>
> <-- you are on uniwall.unipa.com (OpenBSD 3.3 GENERIC#44) -->
> root@uniwall:~ >
>
>
> Bu makine bu durumda nat yapmiyor
> Netteki bi kac dokumanda okudugum kadari ile sadece bu dosyalari bu
sekilde
> editleyip reboot etmemin yetecegi yaziyordu
> Cevaplar icin simdiden tesekkurler
>
>
> - Vasfi UYSAL
>
>
>
>