#Router FreeBSD 8.2 (pf, vlan, dhcp, nat, ftp-proxy) Ionel Mocanu Router FreeBSD 8.2 (pf, vlan, dhcp, nat, ftp-proxy) — Ionel Mocanu
Skip to content
 

Router FreeBSD 8.2 (pf, vlan, dhcp, nat, ftp-proxy)

In acest tutorial este descris modul in care se construieste un router/firewall/gateway FreeBSD

Acest scenariu va fi realizat:

Cu ajutorul VLAN-urilor sunt realizate 3 retele: LAN – reteaua utilizatorilor, DMZ – reteaua serverelor si ADMIN – reteaua administratorului. Serverul FreeBSD trebuie sa asigure accesul la Internet pentru toate statiile din cele trei retele, folosind NAT, furnizarea de adrese IP pentru PC-urile din LAN si port forwarding pentru serverele din DMZ.
Urmatoarele politici de firewall se vor aplica:
– serveul FreeBSD (numit in continuare ROUTER) si serverele din DMZ vor putea accesa numai anumite IP-uri din Internet (cele folosite pentru update-uri de sistem, DNS forwarders, diverse blacklist-uri de spam etc) sau porturi (http, https, whois, traceroute)
– ROUTER-ul va putea fi accesat din Internet pe portul ssh
– serviciile furnizate de serverele din DMZ trebuie sa fie accesibile de oriunde din Internet
– statiile din LAN vor putea accesa numai anumite servicii din Internet (porturile 80, 443, 21, 20) si deschide conexiuni ftp pasive (folosind ftp-proxy)
Deoarece serverul FreeBSD este un “one armed router” impilicit statiile din cele 3 vlan-uri vor comunica intre ele. Firewall-ul mai trebuie sa asigure urmatoarele:
– din reteaua ADMIN sa se poata accesa orice statie din LAN sau server din DMZ
– accesul din vlan-ul 100 catre celelate vlan-uri sa fie interzis
– accesul din vlan-ul 200 catre celelate vlan-uri sa fie interzis

Pentru ca ROUTER-ul sa forward-eze pachetele intre interfete, in fisierul de configurare al sistemului /etc/rc.conf se adauga linia:

gateway_enable="YES"

Pe FreeBSD, vlan-urile se creeaza folosind comenzile:

ROUTER# ifconfig vlan100 create
ROUTER# ifconfig vlan100 172.30.4.1 netmask 255.255.254.0 vlan 100 vlandev em1

Pentru ca vlanu-rile sa ramana persistente si dupa restart, fisierul /etc/rc.conf va contine urmatoarele linii:

cloned_interfaces="vlan100 vlan200 vlan300"
ifconfig_em1="up"
ifconfig_vlan100="inet 172.30.4.1 netmask 255.255.254.0 vlan 100 vlandev em1"
ifconfig_vlan200="inet 172.30.24.25 netmask 255.255.255.248 vlan 200 vlandev em1"
ifconfig_vlan300="inet 172.20.20.253 netmask 255.255.255.252 vlan 300 vlandev em1"

Pentru a instala serverul dhcp pe ROUTER se vor executa comenzile:

ROUTER# cd /usr/ports
ROUTER# make fetchindex
/usr/ports/INDEX-8.bz2                        100% of 1469 kB  348 kBps
ROUTER# make search name=dhcp41-server
Port:   isc-dhcp41-server-4.1.e,2
Path:   /usr/ports/net/isc-dhcp41-server
Info:   The ISC Dynamic Host Configuration Protocol server
Maint:  douglas@douglasthrift.net
B-deps:
R-deps:
WWW:    http://www.isc.org/products/DHCP/
ROUTER# cd net/isc-dhcp41-server/
ROUTER# make install clean

Se editeaza fisierul de configurare dhcpd.conf astfel:

ROUTER# cat /usr/local/etc/dhcpd.conf
ddns-update-style none;
authoritative;
log-facility local7;
subnet 172.30.4.0 netmask 255.255.254.0 {
range 172.30.4.240 172.30.5.240;
option domain-name-servers 94.52.207.65;
option routers 172.30.4.1;
option broadcast-address 172.30.5.255;
default-lease-time 3600;
max-lease-time 7200;

Pentru pornirea serverului dhcp se executa comanda:

ROUTER# /usr/local/etc/rc.d/isc-dhcpd onestart
Starting dhcpd.
Internet Systems Consortium DHCP Server 4.1.2-P1
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Wrote 2 leases to leases file.
Listening on BPF/vlan100/00:00:27:ac:71:6b/172.30.4.0/23
Sending on   BPF/vlan100/00:00:27:ac:71:6b/172.30.4.0/23
Sending on   Socket/fallback/fallback-net

Pentru ca serverul dhcp sa porneasca automat, fisierul /etc/rc.conf va contine urmatoarele doua linii:

dhcpd_enable="YES"
dhcpd_ifaces="vlan100"

Firewall-ul se construieste folosind PF, The OpenBSD Packet Filter. In fiserul /etc/rc.conf se aduga liniile:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

Fiserul /etc/pf.conf contine regulile de firewall ce se vor aplica.

################ MACROURI ################
 
### interfete ###
 
ext_if="em0"
int_if1="vlan100"
int_if2="vlan200"
int_if3="vlan300"
 
### ip-uri ###
 
EXTERN_IP ="94.52.207.65"
LAN = "172.30.4.0/23"
DMZ = "172.30.24.24/29"
ADMIN ="172.20.20.254"
WEB_SERVER = "172.30.24.26"
DNS_SERVER = "172.30.24.27"
MAIL_SERVER = "172.30.24.28"
ISP_DNS = "8.8.8.8"
 
### servicii ###
 
tcp_services="{ 80, 443, 21, 20, 43 }"
udp_services="{ 53, 33433 >< 33626 }"
 
### tabele ###
 
table <goodip> {8.8.8.8, 8.8.8.4, 1.2.3.4 }
table <badip> persist file "/etc/badip"
table <ubuntu_update> { security.ubuntu.com, us.archive.ubuntu.com }
table <martians> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
 
################ OPTIUNI ################
 
set skip on lo0 
set debug urgent
set require-order yes
set block-policy drop
 
################ NORMALIZARE ################
 
scrub on $ext_if all reassemble tcp fragment reassemble
 
################ TRANSLATARI ################
 
### ftp-proxy ###
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if1 proto tcp from any to any port ftp -> 127.0.0.1 port 8021
 
### port-forward pentru serverele din DMZ ###
rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 80 -> $WEB_SERVER port 80
rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 53 -> $DNS_SERVER port 53
rdr pass on $int_if proto udp from any to $EXTERN_IP port 53 -> $DNS_SERVER port 53
rdr pass on $ext_if proto tcp from any to $EXTERN_IP port 25 -> $MAIL_SERVER port 25
 
### nat pentru masinile din cele 3 retele ###
nat on $ext_if from $LAN -> $EXTERN_IP
nat on $ext_if from $DMZ -> $EXTERN_IP
nat on $ext_if from $ADMIN -> $EXTERN_IP
 
################ FILTRARI ################
 
antispoof quick for {$ext_if $int_if1 $int_if2 $int_if3}
 
block all
 
anchor "ftp-proxy/*"
 
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>
 
block drop in quick on $ext_if from <badip> to any
block drop out quick on $ext_if from any to <badip>
 
pass in quick on $int_if3 from $ADMIN to $DMZ 
pass in quick on $int_if3 from $ADMIN to $LAN
 
block in quick on $int_if1 from $LAN to $DMZ 
block in quick on $int_if1 from $LAN to $ADMIN
 
block in quick on $int_if2 from $DMZ to $LAN 
block in quick on $int_if2 from $DMZ to $ADMIN
 
pass in quick on $ext_if proto tcp to $EXTERN_IP port ssh 
pass in quick on $ext_if proto icmp to $EXTERN_IP 
 
pass out quick on $int_if2 proto tcp from any to $WEB_SERVER port 80
pass out quick on $int_if2 proto udp from any to $DNS_SERVER port 53
pass out quick on $int_if2 proto tcp from any to $MAIL_SERVER port 25
 
pass out quick on $int_if2 from $ADMIN to $DMZ
pass out quick on $int_if1 from $ADMIN to $LAN
 
pass in quick on $int_if1 proto tcp from $LAN to any port {80,443,21,20} keep state
pass in quick on $int_if1 proto udp from $LAN to $EXTERN_IP port 53 keep state
pass in quick on $int_if1 proto icmp from $LAN to any keep state 
 
pass in quick on $int_if2 proto udp from $DNS_SERVER to "ISP_DNS" port 53 keep state
pass in quick on $int_if2 proto tcp from $DNS_SERVER to "ISP_DNS" port 53 keep state
pass in quick on $int_if2 proto tcp from $DMZ to <ubuntu_update> port 80 keep state
 
pass in quick on $int_if3 from $ADMIN to any  keep state 
 
pass out on em0 proto tcp to any port $tcp_services keep state
pass out on em0 proto udp to any port $udp_services
 
pass out on $int_if1 proto icmp from self to $LAN
pass out on $int_if2 proto icmp from self to $DMZ
pass out on $int_if2 proto icmp from self to $DNS_SERVER
pass out on $int_if3 proto icmp from self to $ADMIN
 
pass out on $ext_if from self to <gooddip>

Leave a Reply