Subject: Re: Nastaveni ipf.conf
To: Pavel Trubl <trubl@nettel.cz>
From: Pavel Cahyna <pcah8322@artax.karlin.mff.cuni.cz>
List: regional-cs
Date: 08/29/2005 09:49:56
On Mon, Aug 29, 2005 at 09:13:32AM +0200, Pavel Trubl wrote:
> Dobry den,
> zkousim nastavit redirect portu 25 do vnitrni site a nekde delam chybu.
> Ipfilter fungoval bez redirectu v pohode, mailserver na verejne IP byl
> dostupny. Presunul jsem ho do vnitrni site a nastavil redirect do
> ipnat.conf:
> 
> rdr ne2 xx.xx.xx.xx/32 port 25 -> 10.73.75.254 port 25 tcp
> 
> Nejak mi to nefungovalo a tak jsem vyradil ipfilter [povolil jsem
> vsechno] a bez nej to funuguje take v pohode. Jen kombinace ipfilter a
> ipnat mi nejak nebezi.
> 
> Kde mam chybu?
> P.
> 
> 
> # cat /etc/ipf.conf
> # ne2-verejna IP, ne3,ne4-vnitrni IP
> block in log from any to any
> block out log from any to any
> 
> block return-rst in log proto tcp from any to any
> block return-icmp in log proto udp from any to any
> 
> pass in quick on lo0 from any to any
> pass out quick on lo0 from any to any
> 
> block out quick proto tcp from any to any flags /S
> block in quick proto tcp from any to any flags /S
> 
> pass out quick proto icmp from any to any icmp-type 8 code 0 keep state
> pass in quick proto icmp from any to any icmp-type 8 code 0 keep state

Mimochodem, rekl bych ze tohle umozni utocnikum posilat ICMP pakety do
vasi vnitrni site (za NAT) - staci kdyz na ne2 prijde paket s cilovou
adresou z neverejneho rozsahu.

Pavel Cahyna