In acest tutorial este descris modul in care se construieste un router/firewall/gateway FreeBSD
Acest scenariu va fi realizat:
Cu ajutorul VLAN-urilor sunt realizate 3 retele: LAN – reteaua utilizatorilor, DMZ – reteaua serverelor si ADMIN – reteaua administratorului. Serverul FreeBSD trebuie sa asigure accesul la Internet pentru toate statiile din cele trei retele, folosind NAT, furnizarea de adrese IP pentru PC-urile din LAN si port forwarding pentru serverele din DMZ.
Urmatoarele politici de firewall se vor aplica:
– serveul FreeBSD (numit in continuare ROUTER) si serverele din DMZ vor putea accesa numai anumite IP-uri din Internet (cele folosite pentru update-uri de sistem, DNS forwarders, diverse blacklist-uri de spam etc) sau porturi (http, https, whois, traceroute)
– ROUTER-ul va putea fi accesat din Internet pe portul ssh
– serviciile furnizate de serverele din DMZ trebuie sa fie accesibile de oriunde din Internet
– statiile din LAN vor putea accesa numai anumite servicii din Internet (porturile 80, 443, 21, 20) si deschide conexiuni ftp pasive (folosind ftp-proxy)
Deoarece serverul FreeBSD este un “one armed router” impilicit statiile din cele 3 vlan-uri vor comunica intre ele. Firewall-ul mai trebuie sa asigure urmatoarele:
– din reteaua ADMIN sa se poata accesa orice statie din LAN sau server din DMZ
– accesul din vlan-ul 100 catre celelate vlan-uri sa fie interzis
– accesul din vlan-ul 200 catre celelate vlan-uri sa fie interzis
Pentru ca ROUTER-ul sa forward-eze pachetele intre interfete, in fisierul de configurare al sistemului /etc/rc.conf se adauga linia:
gateway_enable="YES"
Pe FreeBSD, vlan-urile se creeaza folosind comenzile:
ROUTER# ifconfig vlan100 create ROUTER# ifconfig vlan100 172.30.4.1 netmask 255.255.254.0 vlan 100 vlandev em1 |
Pentru ca vlanu-rile sa ramana persistente si dupa restart, fisierul /etc/rc.conf va contine urmatoarele linii:
cloned_interfaces="vlan100 vlan200 vlan300" ifconfig_em1="up" ifconfig_vlan100="inet 172.30.4.1 netmask 255.255.254.0 vlan 100 vlandev em1" ifconfig_vlan200="inet 172.30.24.25 netmask 255.255.255.248 vlan 200 vlandev em1" ifconfig_vlan300="inet 172.20.20.253 netmask 255.255.255.252 vlan 300 vlandev em1" |
Pentru a instala serverul dhcp pe ROUTER se vor executa comenzile:
ROUTER# cd /usr/ports ROUTER# make fetchindex /usr/ports/INDEX-8.bz2 100% of 1469 kB 348 kBps ROUTER# make search name=dhcp41-server Port: isc-dhcp41-server-4.1.e,2 Path: /usr/ports/net/isc-dhcp41-server Info: The ISC Dynamic Host Configuration Protocol server Maint: douglas@douglasthrift.net B-deps: R-deps: WWW: http://www.isc.org/products/DHCP/ ROUTER# cd net/isc-dhcp41-server/ ROUTER# make install clean |
Se editeaza fisierul de configurare dhcpd.conf astfel:
ROUTER# cat /usr/local/etc/dhcpd.conf ddns-update-style none; authoritative; log-facility local7; subnet 172.30.4.0 netmask 255.255.254.0 { range 172.30.4.240 172.30.5.240; option domain-name-servers 94.52.207.65; option routers 172.30.4.1; option broadcast-address 172.30.5.255; default-lease-time 3600; max-lease-time 7200; |
Pentru pornirea serverului dhcp se executa comanda:
ROUTER# /usr/local/etc/rc.d/isc-dhcpd onestart Starting dhcpd. Internet Systems Consortium DHCP Server 4.1.2-P1 Copyright 2004-2011 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 2 leases to leases file. Listening on BPF/vlan100/00:00:27:ac:71:6b/172.30.4.0/23 Sending on BPF/vlan100/00:00:27:ac:71:6b/172.30.4.0/23 Sending on Socket/fallback/fallback-net |
Pentru ca serverul dhcp sa porneasca automat, fisierul /etc/rc.conf va contine urmatoarele doua linii:
dhcpd_enable="YES"
dhcpd_ifaces="vlan100"
Firewall-ul se construieste folosind PF, The OpenBSD Packet Filter. In fiserul /etc/rc.conf se aduga liniile:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
Fiserul /etc/pf.conf contine regulile de firewall ce se vor aplica.
################ MACROURI ################ ### interfete ### ext_if="em0" int_if1="vlan100" int_if2="vlan200" int_if3="vlan300" ### ip-uri ### EXTERN_IP ="94.52.207.65" LAN = "172.30.4.0/23" DMZ = "172.30.24.24/29" ADMIN ="172.20.20.254" WEB_SERVER = "172.30.24.26" DNS_SERVER = "172.30.24.27" MAIL_SERVER = "172.30.24.28" ISP_DNS = "8.8.8.8" ### servicii ### tcp_services="{ 80, 443, 21, 20, 43 }" udp_services="{ 53, 33433 >< 33626 }" ### tabele ### table <goodip> {8.8.8.8, 8.8.8.4, 1.2.3.4 } table <badip> persist file "/etc/badip" table <ubuntu_update> { security.ubuntu.com, us.archive.ubuntu.com } table <martians> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \ 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } ################ OPTIUNI ################ set skip on lo0 set debug urgent set require-order yes set block-policy drop ################ NORMALIZARE ################ scrub on $ext_if all reassemble tcp fragment reassemble ################ TRANSLATARI ################ ### ftp-proxy ### nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if1 proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ### port-forward pentru serverele din DMZ ### rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 80 -> $WEB_SERVER port 80 rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 53 -> $DNS_SERVER port 53 rdr pass on $int_if proto udp from any to $EXTERN_IP port 53 -> $DNS_SERVER port 53 rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 25 -> $MAIL_SERVER port 25 ### nat pentru masinile din cele 3 retele ### nat on $ext_if from $LAN -> $EXTERN_IP nat on $ext_if from $DMZ -> $EXTERN_IP nat on $ext_if from $ADMIN -> $EXTERN_IP ################ FILTRARI ################ antispoof quick for {$ext_if $int_if1 $int_if2 $int_if3} block all anchor "ftp-proxy/*" block drop in quick on $ext_if from <martians> to any block drop out quick on $ext_if from any to <martians> block drop in quick on $ext_if from <badip> to any block drop out quick on $ext_if from any to <badip> pass in quick on $int_if3 from $ADMIN to $DMZ pass in quick on $int_if3 from $ADMIN to $LAN block in quick on $int_if1 from $LAN to $DMZ block in quick on $int_if1 from $LAN to $ADMIN block in quick on $int_if2 from $DMZ to $LAN block in quick on $int_if2 from $DMZ to $ADMIN pass in quick on $ext_if proto tcp to $EXTERN_IP port ssh pass in quick on $ext_if proto icmp to $EXTERN_IP pass out quick on $int_if2 proto tcp from any to $WEB_SERVER port 80 pass out quick on $int_if2 proto udp from any to $DNS_SERVER port 53 pass out quick on $int_if2 proto tcp from any to $MAIL_SERVER port 25 pass out quick on $int_if2 from $ADMIN to $DMZ pass out quick on $int_if1 from $ADMIN to $LAN pass in quick on $int_if1 proto tcp from $LAN to any port {80,443,21,20} keep state pass in quick on $int_if1 proto udp from $LAN to $EXTERN_IP port 53 keep state pass in quick on $int_if1 proto icmp from $LAN to any keep state pass in quick on $int_if2 proto udp from $DNS_SERVER to "ISP_DNS" port 53 keep state pass in quick on $int_if2 proto tcp from $DNS_SERVER to "ISP_DNS" port 53 keep state pass in quick on $int_if2 proto tcp from $DMZ to <ubuntu_update> port 80 keep state pass in quick on $int_if3 from $ADMIN to any keep state pass out on em0 proto tcp to any port $tcp_services keep state pass out on em0 proto udp to any port $udp_services pass out on $int_if1 proto icmp from self to $LAN pass out on $int_if2 proto icmp from self to $DMZ pass out on $int_if2 proto icmp from self to $DNS_SERVER pass out on $int_if3 proto icmp from self to $ADMIN pass out on $ext_if from self to <gooddip> |