[WL::Techniek] Fwd: [WL::Commits] r13160 - code/hybrid/branches/releng-10/nanobsd/files/etc

Rick van der Zwet info at rickvanderzwet.nl
Wed Feb 11 12:22:28 UTC 2015


In releng-10 zal ik de optie verwijderen die dubbel NAT ondersteund, dus 
geen services meer aanbieden voor het 'gast netwerk'.
dit zal de (firewall) setup een stuk duidelijker gaan maken.

Met vriendelijke groet,
/Rick1

-------- Forwarded Message --------
Subject: 	[WL::Commits] r13160 - 
code/hybrid/branches/releng-10/nanobsd/files/etc
Date: 	Wed, 11 Feb 2015 12:21:08 -0000
From: 	rick - SVN commit <rick at wirelessleiden.nl>
Reply-To: 	beheer at lijst.wirelessleiden.nl, rick <rick at wirelessleiden.nl>
To: 	commits at lijst.wirelessleiden.nl



Author: rick
Date: Wed Feb 11 12:21:07 2015
New Revision: 13160

Log:
Fix open DNS relay issue by closing down to the proper networks.

Modified:
    code/hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf

Modified: code/hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf
==============================================================================
--- code/hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf	Wed Feb 11 12:13:29 2015	(r13159)
+++ code/hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf	Wed Feb 11 12:21:07 2015	(r13160)
@@ -16,9 +16,13 @@
  # Rick van der Zwet <rick at wirelessleiden.nl>
  #
  
-# Standard port allow listings
-allow_ext_in_tcp="ssh, domain, openvpn"
-allow_ext_in_udp="domain, snmp, openvpn"
+# Standard port allow listings for external services
+allow_ext_in_tcp="ssh, openvpn"
+allow_ext_in_udp="snmp, openvpn"
+
+# Standard port allow listings for services at host network (in case of NAT)
+allow_private_in_tcp="domain"
+allow_private_in_udp="domain"
  
  allow_ext_out_tcp = "domain, http, https, openvpn"
  allow_ext_out_udp = "domain, ntp, openvpn"
@@ -90,7 +94,12 @@
  pass in quick on $ext_if from $wl_net to $wl_net
  pass out quick on $ext_if from $wl_net to $wl_net
  
-# Expose some local services (4)
+# Expose some local services for internal (NATted) network (4)
+pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
+pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
+pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
+
+# Expose some local services for the external world (WWW) network (4)
  pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
  pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
  pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
-- 
Commits mailing list
Commits at lijst.wirelessleiden.nl
http://lijst.wirelessleiden.nl/mailman/listinfo/commits



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lijst.wirelessleiden.nl/pipermail/techniek/attachments/20150211/c694efdb/attachment.html>


More information about the Techniek mailing list