pf rdr

Настройка сетевых служб, маршрутизации, фаерволлов. Проблемы с сетевым оборудованием.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
skam
проходил мимо
Сообщения: 8
Зарегистрирован: 2008-11-18 7:45:41

pf rdr

Непрочитанное сообщение skam » 2010-09-13 18:24:50

Сейчас стоит почтовый сервер МDemon поставили задачу перенести на exim, собрал всё отлично...полез с натом и маппингом портов разбираться и в итоге ничего не стало работать) ни старый почтовый сервер ни новый) PF конфигурил не я. (дурак я, не скопировал старый конф перед редактированием)

в итоге имею не рабочий коф
  • ext_if="rl1"
    int_if="rl0"
    int_net="192.168.1.0/24"
    ext2_addr="111.111.111.111"
    ext_addr="222.222.222.222"
    int_addr="{192.168.1.18, 192.168.1.2}"
    ports="{ 25, 110, 995, 465, 143, 993, 3389}"
    srvs="{192.168.1.18, 192.168.1.2, 192.168.1.1, 192.168.1.3, 192.168.1.16}"
    dns_srv="{192.168.1.3, 192.168.1.2, 217.196.24.242}"
    mx_srv="192.168.1.1"

    # OPtions for IP
    set block-policy drop
    # Allow L0 interface !
    set skip on lo0
    set fingerprints "/etc/pf.os"
    # Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
    scrub in all fragment reassemble
    #nat on $ext_if from 192.168.1.117 to any -> $ext_addr
    nat on $ext_if from 192.168.1.68 to any -> $ext_addr
    #nat on $ext_if from $int_net to any -> $ext_addr
    nat on $ext_if from $srvs to any -> $ext_addr
    # Servers NAT
    nat pass on $ext_if from $srvs to any -> $ext_addr

    rdr on $ext_if proto tcp from any to $ext_addr port 8880 -> 192.168.1.18 port 80
    rdr on $ext_if proto tcp from any to $ext_addr port 110 -> 192.168.1.1 port 110
    rdr on $ext_if proto tcp from any to $ext_addr port 995 -> 192.168.1.1 port 995
    rdr on $ext_if proto tcp from any to $ext_addr port 25 -> 192.168.1.1 port 25
    rdr on $ext_if proto tcp from any to $ext_addr port 465 -> 192.168.1.1 port 465
    rdr on $ext_if proto tcp from any to $ext_addr port 143 -> 192.168.1.1 port 143
    rdr on $ext_if proto tcp from any to $ext_addr port 993 -> 192.168.1.1 port 993
    rdr on $ext_if proto tcp from any to $ext_addr port 3389 -> 192.168.1.16 port 3389
    rdr on $ext_if proto tcp from any to $ext_addr port 3390 -> 192.168.1.3 port 3389
    rdr on $ext_if proto tcp from any to $ext_addr port 3391 -> 192.168.1.1 port 3389
    rdr on $ext_if proto tcp from any to $ext_addr port 1352 -> 192.168.1.16 port 1352
    #rdr on $ext_if proto tcp from any to $ext_addr port 443 -> 192.168.1.1 port 443
    pass all
    #block all
    #block all

    ##################### ONLY FOR TEST!!! ##################
    ###### DELETE OR COMMENT AFTER INSTALL !!!###############
    pass out proto tcp from $int_net to any keep state

    pass out on $int_if proto tcp from 192.168.1.3 to any keep state
    pass out on $int_if proto tcp from any to 192.168.1.3 keep state
    pass out on $ext_if proto tcp from 192.168.1.3 to any keep state
    pass out on $ext_if proto tcp from any to 192.168.1.3 keep state
    pass in on $int_if proto tcp from 192.168.1.3 to any keep state
    pass in on $int_if proto tcp from any to 192.168.1.3 keep state
    pass in on $ext_if proto tcp from 192.168.1.3 to any keep state
    pass in on $ext_if proto tcp from any to 192.168.1.3 keep state
    pass out on $int_if proto tcp from 192.168.1.2 to any keep state
    pass out on $ext_if proto tcp from 192.168.1.2 to any keep state
    pass in on $int_if proto tcp from 192.168.1.2 to any keep state
    pass in on $ext_if proto tcp from 192.168.1.2 to any keep state

    pass out on $int_if proto tcp from 192.168.1.18 to any keep state
    pass out on $ext_if proto tcp from 192.168.1.18 to any keep state
    pass in on $int_if proto tcp from 192.168.1.18 to any keep state
    pass in on $ext_if proto tcp from 192.168.1.18 to any keep state


    pass out on $int_if proto tcp from 192.168.1.1 to any keep state
    pass out on $ext_if proto tcp from 192.168.1.1 to any keep state
    pass in on $int_if proto tcp from 192.168.1.1 to any keep state
    pass in on $ext_if proto tcp from 192.168.1.1 to any keep state

    #########################################################
    ####################### PING ###########################
    pass in on $int_if proto icmp from $int_net to $int_net icmp-type echoreq
    pass out on $int_if proto icmp from $int_net to $int_net icmp-type echoreq
    pass in on $ext_if proto icmp from $ext_if to any icmp-type echoreq keep state
    pass out on $ext_if proto icmp from $ext_if to any icmp-type echoreq keep state
    #########################################################
    ################### DNS #################################
    pass in proto tcp from any to any port 53 keep state
    pass in proto udp from any to any port 53 keep state
    pass out proto tcp from any to any port 53 keep state
    pass out proto udp from any to any port 53 keep state
    #########################################################
    ########## MAIL SERVER ##############################
    #########################################################
    ############ SMTP External ##############################
    pass in proto tcp from any to $ext_addr port 25 keep state
    pass out proto tcp from any to $ext_addr port 25 keep state
    pass in proto tcp from any to $mx_srv port 25 keep state
    pass out proto tcp from any to $mx_srv port 25 keep state
    #########################################################
    ############ SMTPS External #############################
    pass in proto tcp from any to $ext_addr port 465 keep state
    pass out proto tcp from any to $ext_addr port 465 keep state
    pass in proto tcp from any to $mx_srv port 465 keep state
    pass out proto tcp from any to $mx_srv port 465 keep state
    #########################################################
    ############ POP3 External ##############################
    pass in proto tcp from any to $ext_addr port 110 keep state
    pass out proto tcp from any to $ext_addr port 110 keep state
    pass in proto tcp from any to $mx_srv port 110 keep state
    pass out proto tcp from any to $mx_srv port 110 keep state
    #########################################################
    ############ POP3S External #############################
    pass in proto tcp from any to $ext_addr port 995 keep state
    pass out proto tcp from any to $ext_addr port 995 keep state
    pass in proto tcp from any to $mx_srv port 995 keep state
    pass out proto tcp from any to $mx_srv port 995 keep state
    #########################################################
    ############ IMAP External ##############################
    pass in proto tcp from any to $ext_addr port 143 keep state
    pass out proto tcp from any to $ext_addr port 143 keep state
    pass in proto tcp from any to $mx_srv port 143 keep state
    pass out proto tcp from any to $mx_srv port 143 keep state
    #########################################################
    ############ IMAPS External #############################
    pass in proto tcp from any to $ext_addr port 993 keep state
    pass out proto tcp from any to $ext_addr port 993 keep state
    pass in proto tcp from any to $mx_srv port 993 keep state
    pass out proto tcp from any to $mx_srv port 993 keep state
    #########################################################
    ############### END OF MAIL SERVER ######################
    #########################################################
    ############### USERS CONFIG ############################
    #########################################################

    #########################################################
    ################ BLOCK LIST #####################
    #########################################################
    #***************************** SYS PORTS **************************#
    block in quick on $ext_if proto tcp from any to any port 3306
    block in quick on $ext_if proto tcp from any to any port 10000

    #
    block in quick on $int_if proto tcp from 127.0.0.1 to any
    block out quick on $ext_if proto tcp from any to any port 3128
    block out quick on $ext_if proto tcp from any to 207.176.6.65
    block out quick on $ext_if proto tcp from $ext_if to 207.176.6.149
    block out quick on $ext_if proto tcp from $ext_if to 72.35.77.43
    block out quick on $ext_if proto tcp from $ext_if to 228.53.64.170
    block out quick on $ext_if proto tcp from $ext_if to 61.159.224.176

    #########################################################
    ################ THE END Config #####################
    #########################################################

старый почтарь висит на 192.168.1.1
тыкните носом чего я накосячил в конфиге :(

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

skam
проходил мимо
Сообщения: 8
Зарегистрирован: 2008-11-18 7:45:41

Re: pf rdr

Непрочитанное сообщение skam » 2010-09-13 18:32:09

я что-то с редиректами натворил


skam
проходил мимо
Сообщения: 8
Зарегистрирован: 2008-11-18 7:45:41

Re: pf rdr

Непрочитанное сообщение skam » 2010-09-14 6:48:30

Гость писал(а):рисуй картинку
цветными карандашами!?

skam
проходил мимо
Сообщения: 8
Зарегистрирован: 2008-11-18 7:45:41

Re: pf rdr

Непрочитанное сообщение skam » 2010-09-14 15:12:59

тему можно закрывать, проблема решена :"":