pf的設定 - BBS

作者 sw0079 (極限操作) 看板 Linux
標題 [問題] pf.conf設定
時間 Thu Mar 20 13:07:10 2014
───────────────────────────────────────

大家好,小弟是Linux/OBSD的新手
最近上課在做的project
因為router是OBSD所以有些檔案名稱path會不一樣

要問的問題是OBSD裡面的/etc/pf.conf的一些rules


老師的要求是:

1. Windows subnet to storage subnet: NO access
2. Windows subnet to web server subnet: RESTRICTED access
Only SSL HTTP ports allowed
3. Web server subnet to storage subnet: RESTRICTED access
Only iSCSI ports allowed

小弟自己用小畫家畫了一個圖形
http://tinypic.com/view.php?pic=fwqhxz&s=8#.Uyp0NPldUwA

OBSD router有1 external interface (em0) 2 internal interfaces (em1 & em2)
Windows subnet >> em1
www server >> em2
storage server >> 從主要的router連接到OBSD router

小弟自己弄出來的pf rules是
ext_if = "em0"
int_if = "em1"
int_if2 = "em2"
www_server = "192.168.32.130"
web_ports = "{ https, iscsi }"
tcp_services = "{ ssh, domain }"
udp_services = "{ router, domain }"


set skip on lo
block in


pass in on $int_if from $int_if:network
pass in on $int_if2 from $int_if2:network


pass in inet proto icmp


block from $int_if:network to $int_if2:network


pass in on $ext_if inet proto tcp to $ext_if port $tcp_services
pass in on $ext_if inet proto udp to $ext_if port $udp_services
pass in on $ext_if inet proto tcp to $www_server port $web_ports
pass in on $int_if inet proto tcp from $int_if:network to $www_server port
https


block from $int_if:network to 10.12.0.0/16

pass out


今天老師檢查後說這個configuration很奇怪
因為
pass in on $int_if from $int_if:network
pass in on $int_if2 from $int_if2:network

這兩個其實很多餘
還有pass in on $int_if inet proto tcp from $int_if:network to $www_server
port https
這個也是很怪異
但是老師測試了一下後說 因為有達到要求所以過了(測試方式用ping還有看我們的網頁是
否只能顯示https)

重點: 如果是各位大大 會怎麼寫呢?
不好意思寫很多 感謝您的指點




--

The truth is always beneath a quiet place.
So I prefer to work in a distant place alone.


--