Pf quene & rdr

[hanggard]

Доброе время суток, уважаемая аудитория. Сейчас, после многих трудностей настройки моего сервера, поднял на нем pf - для ната и для защиты. Конфиг попытался взять отсюда: http://www.lissyara.su/?id=1833
В общем, рассказываю: конфига была взята не полностью, а частично, и самое главное, что мне нужно было - работает. Но есть и другие фичи, описанные в вышеуказанной статье: их запустить не удалось. Речь идет о quene, synproxy и rdr.
Вот мой пример конфига:

Код: Выделить всё

# Главные переменные
set loginterface tun0
wan="tun0"
lan="10.54.0.0/27"
int="vlan100"
## Разрешаем все и вся кольцевому интерфесу (временная заплатка)
set skip on lo0
## Разрешаем все и вся юзерам из локалки (временная заплатка)
set skip on vlan100
## И свитчу (временная заплатка)
set skip on vlan10
## Переменные пользователей
unicron="10.54.0.1"
andrey="10.54.0.3"
mama="10.54.0.4"
dell="10.54.0.2"
palych="10.54.0.5"
## Cписок немаршрутизируемых адресов, с которых к нам
## будут долбиться на внешний интерфейс, а мы их будем заботливо писать в лог.
non_route_nets_inet="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" # Тут я пока что не стал предпринимать действий, просто ввел переменную.
## В этот список попадают IP адреса тех, кто превысил лимит подключений в единицу времени к сервису ssh.
table <BRUTEFORCERS> persist
## Делаем NAT с внешнего интерфейса на внутренний
nat on $wan from $lan to any -> ($wan)
## И редиректим радмин на ноут
rdr on $wan proto tcp from any to $wan port 4899 -> $dell port 4899
# Режем трафег
#altq on $wan cbq bandwidth 6000Kb queue {dell, qmama, qandrey, qpalych, qssh, qdns, qntp, qack}
#queue qdell bandwidth 30% priority 3 cbq ( borrow )
#queue qmama bandwidth 20% priority 2 cbq ( borrow )
#queue qpalych bandwidth 17% priority 2 cbq ( borrow )
#queue qandrey bandwidth 16% priority 2 cbq ( borrow )
#queue qssh bandwidth 8% priority 4 cbq ( borrow )
#queue qdns bandwidth 2% priority 5 cbq ( borrow )
#queue qntp bandwidth 2% priority 7 cbq ( borrow )
#queue qack bandwidth 5% priority 6 cbq ( borrow )

######################################################################
###################### RULES RULES RULES #############################
######################################################################

## Забклокировать все
block all
## Блокируем нехороших человеков, которые брутфорсили нас
block quick from <BRUTEFORCERS>
## Разрешаем входящие ssh
pass in quick on $wan proto tcp from any to ($wan) port 222
## ssh
# ssh для локальных юзеров
#pass in on $int proto tcp from $lan to $unicron port 222 synproxy state (max-src-conn-rate 5/300, overload <BRUTEFORCERS> flush global) #пока что не разобрался, как оно работает
# и для пользователей с инета
#pass in on $wan proto tcp from any to $wan port 222 synproxy state (max-src-conn-rate 5/300, overload <BRUTEFORCERS> flush global) #пока что не разобрался, как оно работает
## Разрешаем входящие www
pass in quick on $wan proto tcp from any to ($wan) port 80
## Разрешаем нас пинговать
pass in quick on $wan proto icmp from any to ($wan)
## Разрешаем входящие ftp
pass in quick on $wan proto tcp from any to $wan port {21, 60000:65000}
## Разрешить исходящие от локалки
pass out quick on $wan from $lan to any
## Разрешить исходящие от нас
pass out quick on $wan from ($wan) to any
## Разрешаем обратку Torrentflux
pass in quick on $wan proto tcp from any to $wan port {49160:49200}
## Разрешаем UltraVNC
pass in quick on $wan proto tcp from any to $wan port {5900:5901}
## Разрешаем радмин до ноута
#pass in quick on $wan proto tcp from any to $wan port {4899:4900}

Собсно, что в этом конфиге закомменчено, то я и не смог запустить, а именно секция "Режем трафег", "Radmin на ноут" и ssh через synproxy. Причем оговорюсь сразу: нарезка трафика - pfctl ругается на синтаксические ошибки, а редирект и ssh грамматическую проверку проходит, но порт не пробрасывается и ssh не пускает. Сразу говорю - по почкам не бейте, потому что пробовал и так и сяк, при нарезке трафика вылезает следующее:

Код: Выделить всё

root@unicron:/usr/home/hanggard# pfctl -nf /etc/pf.conf
/etc/pf.conf:33: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:34: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:35: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:36: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:37: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:38: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:39: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:40: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:41: Rules must be in order: options, normalization, queueing, translation, filtering

Вот такой вот вопрос у меня, помогите, кто может...

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[reLax]

/etc/pf.conf:41: Rules must be in order: options, normalization, queueing, translation, filtering

В этом порядке должны быть правила по порядку, в чем вопрос ?

[hanggard]

ну просто я немного тормоз, можно мне на примере одной из моих строчек показать, как нужно выстроить нужный порядок?

[reLax]

без # сам подумай, что нагородил тут:

Код: Выделить всё

set loginterface tun0
wan="tun0"
lan="10.54.0.0/27"
int="vlan100"
set skip on lo0
set skip on vlan100
set skip on vlan10
unicron="10.54.0.1"
andrey="10.54.0.3"
mama="10.54.0.4"
dell="10.54.0.2"
palych="10.54.0.5"
non_route_nets_inet="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" 
table <BRUTEFORCERS> persist
nat on $wan from $lan to any -> ($wan)
rdr on $wan proto tcp from any to $wan port 4899 -> $dell port 4899
block all
block quick from <BRUTEFORCERS>
pass in quick on $wan proto tcp from any to ($wan) port 222
pass in quick on $wan proto tcp from any to ($wan) port 80
pass in quick on $wan proto icmp from any to ($wan)
pass in quick on $wan proto tcp from any to $wan port {21, 60000:65000}
pass out quick on $wan from $lan to any
pass out quick on $wan from ($wan) to any
pass in quick on $wan proto tcp from any to $wan port {49160:49200}
pass in quick on $wan proto tcp from any to $wan port {5900:5901}

[reLax]

тебе дать пример pf ?

[hanggard]

буду благодарен а там synproxy, quene & rdr есть?))

[reLax]

буду благодарен а там synproxy, quene & rdr есть?))

synproxy & rdr

[reLax]

Код: Выделить всё

#----- Interfaces -----#
 ExtIf="msk1"
 IntIf="msk0"
 VirtIf="tap0"

 VirtNet="172.17.3.0/24"

#----- Hosts -----#
 Root="{ 172.17.2.250, 172.17.2.70, 172.17.2.25 }"
 CiscoSwitch="192.168.0.222"
 CiscoRouter="192.168.0.1"
 BindJail="192.168.0.200"
 SqlJail="192.168.0.220"
 HttpdJail1="192.168.0.210"
 HttpdJail2="192.168.0.230"

#----- States & Queues -----#
 SynState="flags S/SAFR synproxy state"
 TcpState="flags S/SAFR modulate state"
 UdpState="keep state"

#----- Ports -----#
 AllowOutAll="{80, 443, 21}"
 Icq="{5190}"
 MailAgent="{2041, 2042}"
 ExtMail="{25, 110, 143}"
 IntIfTcpIn="{53, 139, 445, 8080}"
 IntIfTcpOut="{53, 139, 445, 8080}"
 IntIfUdpIn="{137, 138}"
 IntIfUdpOut="{137, 138}"

#----- Stateful Tracking Options -----#
 ExtIfSTO  ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 254)"
 IntIfSTO  ="(max 250,  source-track rule, max-src-conn 100,  max-src-nodes 254, max-src-conn-rate 75/20)"
 SshSTO    ="(max 10,   source-track rule, max-src-conn 10,   max-src-nodes 5,   max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"

#----- Tables -----#
 table <sshguard>        persist
 table <OVERLOAD_SSH>    persist
 table <BLACKLIST>       persist file "/etc/pf/blacklist"
 table <SLOWQUEUE>       persist file "/etc/pf/slowqueue"
 table <SERVERS>         persist {172.17.2.1, 172.17.2.120, 172.17.2.200, 172.17.2.100}
 table <NORMALQUEUE>     persist file "/etc/pf/normalqueue"
 table <HTTPOVERNAT>     persist file "/etc/pf/httpovernat"
 table <ICQ>             persist file "/etc/pf/icq"
 table <IPICQ>           persist {64.12.0.0/16, 205.188.0.0/16}
 table <EXTMAIL>         persist file "/etc/pf/extmail"
 table <EXTFTP>          persist file "/etc/pf/extftp"
 table <INTFTP>          persist file "/etc/pf/intftp"
 table <SKYPE>           persist file "/etc/pf/skype"
 table <MAILAGENT>       persist file "/etc/pf/magent"
 table <EXTSERVIFACES>   persist {192.168.0.100, 192.168.0.150, 192.168.0.155, 192.168.0.240}
 table <INTSERVIFACES>   persist {172.17.2.1, 172.17.2.5, 172.17.2.120, 172.17.2.100, 172.17.2.200, 172.17.2.201, 172.17.2.203}
 table <EXTSERVJAILS>    persist {192.168.0.200, 192.168.0.210, 192.168.0.220, 192.168.0.230, 192.168.0.240}
 table <NETAMS_INET>     persist
 table <LKP_NETAMS_INET> persist

#----- Options -----#
 set debug urgent
 set require-order yes
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none
 set skip on lo0
 set skip on $VirtIf

#----- Timeout Options -----#
 set optimization aggressive
 set timeout { frag 10, tcp.established 3600 }
 set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
 set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
 set timeout { other.first 30, other.single 30, other.multiple 30 }
 set timeout { adaptive.start 5000, adaptive.end 10000 }

#----- Normalization -----#
 scrub log on $ExtIf all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#----- Queueing -----#
# altq on $IntIf cbq bandwidth 100% queue {root_http, slow_http, normal_http, im, mail}
#   queue root_http       bandwidth 1Mb   priority 1 cbq (default red borrow)
#   queue slow_http       bandwidth 256Kb
#   queue normal_http     bandwidth 368Kb
#   queue im              bandwidth 64Kb
#   queue mail            bandwidth 128Kb

#----- NAT & Redirection -----#

 nat on $ExtIf from $IntIf:network to any tag EGRESS -> ($ExtIf:0)  port 1024:65535

 no rdr on lo0 from any to any
 rdr on $IntIf inet proto tcp from $IntIf:network to !(self)        port 21                  -> lo0           port 8021
 rdr on $IntIf inet proto tcp from $IntIf:network to !$IntIf        port 80                  -> $IntIf        port 8080
 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"
 no rdr

#----- Filtering -----#

 antispoof log quick for { lo0 $IntIf ($ExtIf) $VirtIf }
 
 block            log quick <OVERLOAD_SSH>
 block return  in log quick on $IntIf inet proto tcp from <NETAMS_INET> to any port {80, 8080, 443, 21, 20}
 block         in log quick           from no-route to any
 block         in log quick on $ExtIf inet proto tcp from any to <BLACKLIST> port {80, 443}
 block         in log quick on $ExtIf from any to 255.255.255.255
 block return  in log quick on $IntIf from any to <BLACKLIST>
 block         in log quick on $ExtIf from <sshguard> to any label "ssh bruteforce"

 block               quick                inet6
 block        log on $ExtIf
 block return log on $IntIf

 anchor "ftp-proxy/*"

#----- Samba Broadcast Fix
 pass log quick on $IntIf inet proto udp from $IntIf:network to $IntIf:broadcast port $IntIfUdpOut $UdpState $IntIfSTO

#----- $ExtIf inbound
#----- TCP
 pass in log on $ExtIf inet proto tcp  from any                                                      to ($ExtIf)     port 5000          $SynState
 pass in log on $ExtIf inet proto tcp  from any                                                      to ($ExtIf)     port 22            $SynState $SshSTO
 pass in log on $ExtIf inet proto tcp  from $HttpdJail1                                              to ($ExtIf)     port 80            $SynState
 pass in log on $ExtIf inet proto tcp  from $SqlJail                        port 3306                to $HttpdJail2
 pass in log on $ExtIf inet proto tcp  from $HttpdJail2                                              to ($ExtIf:0)   port 20001
 pass in log on $ExtIf inet proto tcp  from any                                                      to ($ExtIf)     port 49152:65535   $TcpState $ExtIfSTO
 pass in log on $ExtIf inet proto tcp  from any                                                      to ($ExtIf)     port 5999          $TcpState $ExtIfSTO
#----- UDP
 pass in log on $ExtIf inet proto udp  from $CiscoRouter                                             to ($ExtIf:0)   port 20002
 pass in log on $ExtIf inet proto udp  from 192.168.0.150                                            to ($ExtIf:0)   port 20003
 pass in log on $ExtIf inet proto udp  from $BindJail                       port 53                  to $HttpdJail2
 pass in log on $ExtIf inet proto udp  from {$CiscoRouter, $CiscoSwitch, <EXTSERVIFACES>} port 161   to $HttpdJail2                     $UdpState $ExtIfSTO
#----- ICMP
 pass in log on $ExtIf inet proto icmp from any                                                      to ($ExtIf)     icmp-type 8 code 0 $UdpState

#----- $IntIf outbound
#----- TCP
 pass out log on $IntIf inet proto tcp  from $VirtNet        to $IntIf:network
 pass out log on $IntIf inet proto tcp  from $IntIf          to $IntIf:network
 pass out log on $IntIf inet proto tcp  from $VirtNet to $IntIf:network                    $TcpState
#----- UDP
 pass out log on $IntIf inet proto udp  from $VirtNet          to $IntIf:network
 pass out log on $IntIf inet proto udp  from $IntIf          to $IntIf:network
 pass out log on $IntIf inet proto udp  from $VirtIf:network to $IntIf:network                    $UdpState
 pass out log on $IntIf inet proto udp  from $ExtIf          to $IntIf:network port 161           $UdpState
#----- ICMP
 pass out log on $IntIf inet proto icmp from $VirtNet          to $IntIf:network icmp-type 8 code 0 $UdpState
 pass out log on $IntIf inet proto icmp from $IntIf          to $IntIf:network icmp-type 8 code 0 $UdpState

#----- $IntIf inbound
#----- TCP
 pass in log on $IntIf inet proto tcp  from $IntIf:network   to  $VirtNet                       $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from $IntIf:network    to  $IntIf         port $IntIfTcpIn
 pass in log on $IntIf inet proto tcp  from <SKYPE>           to  $IntIf         port 1080
 pass in log on $IntIf inet proto tcp  from $Root             to  $IntIf                                $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from 172.17.2.5        to  $IntIf                                $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from 172.17.2.234      to  217.14.50.107  port 5560
 pass in log on $IntIf inet proto tcp  from $Root             to !$IntIf         port 22                $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <INTSERVIFACES>   to !$IntIf         port 5999              $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from 172.17.2.120      to  $IntIf         port {873, 555}        $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <SERVERS>         to  $IntIf         port 22                $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <HTTPOVERNAT>     to !$IntIf         port $AllowOutAll
 pass in log on $IntIf inet proto tcp  from <MAILAGENT>       to  any            port $MailAgent        $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <ICQ>             to <IPICQ>         port $Icq              $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <EXTMAIL>         to !$IntIf         port $ExtMail          $TcpState $IntIfSTO
 pass in log on $IntIf inet proto tcp  from <INTFTP>          to  127.0.0.1      port 8021              $TcpState $IntIfSTO
#----- UDP
 pass in log on $IntIf inet proto udp  from $IntIf:network   to  $VirtNet                       $UdpState $IntIfSTO
 pass in log on $IntIf inet proto udp  from 172.17.2.200      to  $IntIf
 pass in log on $IntIf inet proto udp  from 172.17.2.5        to  $IntIf
 pass in log on $IntIf inet proto udp  from $IntIf:network    to  $IntIf         port 53
 pass in log on $IntIf inet proto udp  from $IntIf:network    to  $IntIf         port $IntIfUdpIn       $UdpState $IntIfSTO
#----- ICMP
 pass in log on $IntIf inet proto icmp from $IntIf:network    to  $IntIf         icmp-type 8 code 0     $UdpState $IntIfSTO
 pass in log on $IntIf inet proto icmp from $IntIf:network   to  $VirtNet         icmp-type 8 code 0     $UdpState $IntIfSTO

#----- $ExtIf outbound
#----- TCP
 pass out log on $ExtIf inet proto tcp  from ($ExtIf)      to any                                              #port {22, 21, 80, 443}
 pass out log on $ExtIf inet proto tcp  from ($ExtIf)      to any                                              port 43                $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from ($ExtIf)      to $SqlJail                                         port 3306              $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from $HttpdJail2   to any                                              port {21, 80, 443}     $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from $HttpdJail2   to $SqlJail                                         port 3306              $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from $ExtIf:0      to $HttpdJail2                                      port 20001             $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from $ExtIf:0      to $CiscoRouter                                     port 20002             $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from ($ExtIf)      to {$CiscoRouter, $CiscoSwitch, 192.168.0.222}      port 23                $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from $ExtIf:0      to any                                              port 5999              $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from ($ExtIf:0)    to any port 2401          $TcpState $ExtIfSTO
 pass out log on $ExtIf inet proto tcp  from ($ExtIf:0)    to any                    $TcpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto tcp  from ($ExtIf:0)    to any port 22            $TcpState $ExtIfSTO tagged EGRESS
 #-----UDP
 pass out log on $ExtIf inet proto udp  from ($ExtIf)      to any                                              #port 53                $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from $HttpdJail2   to $BindJail                                        port 53                $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from $HttpdJail2   to {$CiscoRouter, $CiscoSwitch, <EXTSERVIFACES>}    port 161               $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from $HttpdJail2   to <INTSERVIFACES>                                  port 161               $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from $ExtIf:0      to 192.168.0.150                                    port 20003             $UdpState $ExtIfSTO
 pass out log on $ExtIf inet proto udp  from ($ExtIf:0)    to any                    $UdpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto udp  from ($ExtIf:0)    to any port 53            $UdpState $ExtIfSTO tagged EGRESS
#----- ICMP
 pass out log on $ExtIf inet proto icmp from ($ExtIf:0)      to any                  $UdpState $ExtIfSTO tagged EGRESS
#----- END

[reLax]

Порядок правил главное смотри