Opened 14 years ago
Closed 13 years ago
#10 closed defect (invalid)
ileiden proxy : geen goede firewall rules
| Reported by: | huub | Owned by: | rick |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | component1 | Version: | |
| Keywords: | Cc: |
Description ¶
Aanzetten van ipfw op de ileiden proxy maakt de proxy onbereikbaar.
ipfw:
Proxy11# /etc/ipfw.sh
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 check-state
00500 allow ip from me to any keep-state
00600 nat 100 ip from 172.16.0.0/12 to any out recv sis0 xmit sis1
00700 nat 100 ip from any to 192.168.1.70 in recv sis1
ipfw nat 100 config if sis1
00800 deny log logamount 500 ip from 172.16.0.0/12 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 in via sis0
00900 allow tcp from 172.16.0.0/12 to any dst-port 80,443 in via sis0 setup limit src-addr 10
01000 nat 200 ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 172.16.0.0/12 out recv sis1 xmit sis0
01100 nat 200 ip from 172.16.0.0/12 to 172.23.25.66 in recv sis0
ipfw nat 200 config if sis0
01200 allow ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 172.16.0.0/12 in recv sis1 keep-state
01300 allow tcp from any to me dst-port 22 via sis1 setup keep-state
01400 allow udp from 172.16.0.0/12 to me dst-port 123,53,161,12345 via sis0 keep-state
01500 allow tcp from 172.16.0.0/12 to me dst-port 22,53,3128 via sis0 setup keep-state
65000 deny log logamount 500 ip from any to any
Proxy11# Read from remote host proxy11.wleiden.net: Operation timed out
Connection to proxy11.wleiden.net closed.
Change History (3)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 13 years ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
ticket is achterhaald door de ontwikkelingen: overgestapt van ipfw naar pf
Er zijn nog steeds geen goede firewall rules in de ileiden proxy-fabriek:
Proxy9 was niet meer bereikbaar na de automatisch reboot, na aanzetten van de ileiden configuratie. Nieuw kaartje geinstalleerd.
Het oude kaartje blijkt thuis gewoon te booten.
Op het nieuwe kaartje bij proxy9 de firewall aangezet:
Proxy9# ipfw list
65535 allow ip from any to any
Proxy9# /etc/ipfw.sh restart
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 check-state
00500 allow ip from me to any keep-state
00600 nat 100 ip from 172.16.0.0/12 to any out recv sis1 xmit sis0
00700 nat 100 ip from any to 213.125.162.254 in recv sis0
ipfw nat 100 config if sis0
00800 deny log logamount 500 ip from 172.16.0.0/12 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 in via sis1
00900 allow tcp from 172.16.0.0/12 to any dst-port 80,443 in via sis1 setup limit src-addr 10
01000 nat 200 ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 172.16.0.0/12 out recv sis0 xmit sis1
01100 nat 200 ip from 172.16.0.0/12 to 172.16.4.54 in recv sis1
ipfw nat 200 config if sis1
01200 allow ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 172.16.0.0/12 in recv sis0 keep-state
01300 allow tcp from any to me dst-port 22 via sis0 setup keep-state
01400 allow udp from 172.16.0.0/12 to me dst-port 123,53,161,12345 via sis1 keep-state
01500 allow tcp from 172.16.0.0/12 to me dst-port 22,53,3128 via sis1 setup keep-state
65000 deny log logamount 500 ip from any to any
Proxy9#
Hierna kan ik niet meer inloggen vanaf node declercq
Als ik de regels van proxy9 vergelijk met bijv. die van proxy97 dan zijn er wat regels toegevoegd:
Proxy97# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to 10.0.0.0/16 in via sis1
00500 nat 100 ip from 172.16.0.0/12 to any out via sis0
00600 nat 100 ip from any to 10.0.1.100 in via sis0
03000 check-state
03001 allow tcp from 172.16.0.0/12 to any dst-port 80,443 in via sis1 setup limit src-addr 10
04001 allow ip from me to any keep-state
05001 allow tcp from any to me dst-port 22 keep-state
06001 allow ip from any to me dst-port 53 via sis1 keep-state
06002 allow udp from any to me dst-port 123 via sis1 keep-state
06003 allow tcp from any to me dst-port 3128 via sis1 keep-state
06004 allow udp from 172.16.0.0/12 to me dst-port 12345 via sis1 keep-state
06005 allow udp from any to me dst-port 161 via sis1 keep-state
65000 deny ip from any to any
65535 allow ip from any to any
Proxy97#