Outils pour utilisateurs

Outils du site


Panneau latéral

Tips

Divers

Projets

Ham Radio

Machines

Research

Privé

Études

projets:mudrublic:forwarding

Table des matières

Routing and QoS

Interfaces are put into various handy groups in their hostname.if.

The following behavior is wanted

  • Nothing unsollicited gets in on egress (group automatically added to interfaces with default routes) apart from ssh connections;
  • Traffic coming from internal is trusted;
  • Traffic on public can only reach out to few common services on the internet (via egress), and is completely blocked to internal.

Common services:

  • ssh
  • http(s)
  • pop(s)
  • imap(s)
  • submission
  • xmpp-client

PF rules

#	$OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

set skip on lo

set loginterface public

XMPP_CLIENT=5222
OPEN_PUBLIC_TCP="{" ssh http pop3 imap https submission imaps pop3s $XMPP_CLIENT "}"
DNS=192.168.1.1

# NAT/filter rules and anchors for ftp-proxy(8)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port ftp

# NAT/filter rules and anchors for relayd(8)
#rdr-anchor "relayd/*"
#anchor "relayd/*"

# NAT rules and anchors for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#no rdr on egress proto tcp from <nospamd> to any port smtp
#no rdr on egress proto tcp from <spamd-white> to any port smtp
#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd

# No NAT when behind the DG834
#nat on egress inet from (internal:network) to any -> (egress)
#nat on egress inet from (public:network) to any -> (egress)

pass		# to establish keep-state

antispoof for internal

block in on { egress public }
pass in quick on internal
pass in quick proto { icmp ipv6-icmp }

block in quick on public to (internal:network)
# With the DG834, egress is *also* on an internal network
# but DNS should be allowed
pass in quick on public proto { tcp udp } from (public:network) to $DNS port domain
block in quick on public to (egress:network)
pass in quick on egress from (egress:network)
# Done.
block in quick on egress proto tcp to (public) port ssh
pass in quick proto tcp to { (egress) (internal:network) } port ssh
pass in quick proto { tcp udp } to (all:0) port domain

#pass in quick on { internal public } proto { tcp udp } from port bootpc to port bootps
pass in quick on public proto { tcp udp } from port bootpc to port bootps
#pass in quick on public proto tcp to !(internal:network) port $OPEN_PUBLIC_TCP
pass in quick on public proto tcp to port $OPEN_PUBLIC_TCP

#block in quick from urpf-failed to any	# use with care

# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010

The first pass statement is meant to create states for outgoing connections for which returning packets would otherwise be rejected.

While we're at it, we also enabled the FTP proxy. This also requires adding the following in /etc/rc.conf.local.

ftpproxy_flags=

QoS with AltQ

Several classes are created to sort and shape the traffic, heavily based on this document. Priority queues are used on the egress interface while CBQ are tentatively used on the public network.

The queues are defined at the beginning of the pf.conf file, while traffic is distributed by rules at the end. Unfortunately, AltQ doesn't support interface groups.

#UPLINK_BANDWIDTH=8Mb
UPLINK_BANDWIDTH=90Mb
# Max of wired and wireless
INTERNAL_BANDWIDTH=90Mb
PUBLIC_LIMIT=100Kb

EGRESS=sis0
INTERNAL=bridge0
PUBLIC=rtw0

altq on $EGRESS priq bandwidth $UPLINK_BANDWIDTH queue {std_out, interactive_out, dns_out, tcp_ack_out}

queue std_out priq(default)
queue interactive_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6

altq on $INTERNAL cbq bandwidth $INTERNAL_BANDWIDTH queue {std_in, interactive_in, dns_in}

queue std_in bandwidth 99% cbq(default)
queue interactive_in bandwidth 200Kb priority 4
queue dns_in bandwidth 200Kb priority 5

altq on $PUBLIC cbq bandwidth $PUBLIC_LIMIT queue {public_limit}
queue public_limit  bandwidth 99% cbq(default)

...

pass out on egress proto tcp to any flags S/SA keep state queue(std_out, tcp_ack_out)
pass out on egress proto { tcp udp } to any port domain keep state queue dns_out
pass out on egress proto tcp to any port ssh flags S/SA keep state queue(std_out, interactive_out)
pass out on egress proto tcp to any port $XMPP_CLIENT flags S/SA keep state queue(interactive_out, tcp_ack_out)

pass out on internal proto { tcp udp } from any port domain queue dns_in
pass out on internal proto { tcp udp } from any port ssh queue(std_in, interactive_in)
pass out on internal proto tcp from any port $XMPP_CLIENT queue interactive_in
projets/mudrublic/forwarding.txt · Dernière modification: 2013-11-15 05:06 (modification externe)