M
_markus
Hallo und guten Abend.
Im Rahmen eines Projektes möchte ich eine Firewall konstruieren.
Dazu verwende ich 3 Thin Clients, die in Reihe geschaltet die Funktionen:
[Packetfilter]---[Application Gateway]---[Packetfilter]
übernehmen sollen.
Ein sogenanntes Screened Subnet, wie hier beschrieben:
Grafik von: kes.info/lexikon/lexdata/firewall.htm
http://i51.tinypic.com/nz2b7p.png
Als ersten Schritte habe ich nun einen der Thin Clients unter OpenBSD aufgesetzt.
Diesen habe ich nun zwischen LAN und Modem geschaltet.
Topologie:
[LAN]---[Packetfilter]---[Modem]
Ip-Adressen:
LAN Grün (rl0) Rot (vr0) (Modem)
[141.18.253.(1-19)]---[141.18.253.254/192.168.0.254]---[192.168.0.1]
Konfiguration:
LAN: [Gateway:141.18.253.254,DNS:141.18.253.254]
Packetfilter: [Gateway:192.168.0.1,DNS:192.168.0.1]
Vom Lan kann ich nun auf die Grüne/Rote Schnittstelle des Filters pingen,
doch nicht darüber hinaus.
Bevor ich mit der Filter-Funktion beginne, möchte ich generell vom LAN zum
Modem routen können, dazu habe ich "PF" deaktiviert.
Meine OpenBSD Konfiguration ist die folgende:
/etc/pf.conf habe ich erstmal aussen vorgelassen, da ich es durch "PF=NO" erstmal
deaktiviert habe.
Woran könnte es liegen, dass ich nicht vom einen in das andere Netz gelangen kann?
Brauche ich auf dem Packetfilter einen Routing-Dienst? Würde der nicht das
ganze Sicherheits-Konzept wieder zerhauen?
Vielen Dank für alle Antworten
Im Rahmen eines Projektes möchte ich eine Firewall konstruieren.
Dazu verwende ich 3 Thin Clients, die in Reihe geschaltet die Funktionen:
[Packetfilter]---[Application Gateway]---[Packetfilter]
übernehmen sollen.
Ein sogenanntes Screened Subnet, wie hier beschrieben:
Grafik von: kes.info/lexikon/lexdata/firewall.htm
http://i51.tinypic.com/nz2b7p.png
Als ersten Schritte habe ich nun einen der Thin Clients unter OpenBSD aufgesetzt.
Diesen habe ich nun zwischen LAN und Modem geschaltet.
Topologie:
[LAN]---[Packetfilter]---[Modem]
Ip-Adressen:
LAN Grün (rl0) Rot (vr0) (Modem)
[141.18.253.(1-19)]---[141.18.253.254/192.168.0.254]---[192.168.0.1]
Konfiguration:
LAN: [Gateway:141.18.253.254,DNS:141.18.253.254]
Packetfilter: [Gateway:192.168.0.1,DNS:192.168.0.1]
Vom Lan kann ich nun auf die Grüne/Rote Schnittstelle des Filters pingen,
doch nicht darüber hinaus.
Bevor ich mit der Filter-Funktion beginne, möchte ich generell vom LAN zum
Modem routen können, dazu habe ich "PF" deaktiviert.
Meine OpenBSD Konfiguration ist die folgende:
Code:
/etc/hostname.vr0
inet 141.18.253.69 255.255.255.0 NONE
Code:
/etc/hostname.rl0
inet 192.168.0.254 255.255.0.0 NONE
Code:
/etc/inetd.conf
# $OpenBSD: inetd.conf,v 1.59 2005/11/16 09:20:22 camield Exp $
#
# Internet server configuration database
#
# define *both* IPv4 and IPv6 entries for dual-stack support.
#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -US
#shell stream tcp nowait root /usr/libexec/rshd rshd -L
#shell stream tcp6 nowait root /usr/libexec/rshd rshd -L
#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
#uucpd stream tcp6 nowait root /usr/libexec/uucpd uucpd
#finger stream tcp nowait _fingerd /usr/libexec/fingerd fingerd -lsm
#finger stream tcp6 nowait _fingerd /usr/libexec/fingerd fingerd -lsm
ident stream tcp nowait _identd /usr/libexec/identd identd -el
ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -s /tftpboot
127.0.0.1:comsat dgram udp wait root /usr/libexec/comsat comsat
[::1]:comsat dgram udp6 wait root /usr/libexec/comsat comsat
#ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
#pop3 stream tcp nowait root /usr/sbin/popa3d popa3d
#pop3 stream tcp6 nowait root /usr/sbin/popa3d popa3d
# Internal services
#echo stream tcp nowait root internal
#echo stream tcp6 nowait root internal
#discard stream tcp nowait root internal
#discard stream tcp6 nowait root internal
#chargen stream tcp nowait root internal
#chargen stream tcp6 nowait root internal
daytime stream tcp nowait root internal
daytime stream tcp6 nowait root internal
time stream tcp nowait root internal
time stream tcp6 nowait root internal
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
#discard dgram udp wait root internal
#discard dgram udp6 wait root internal
#chargen dgram udp wait root internal
#chargen dgram udp6 wait root internal
#daytime dgram udp wait root internal
#daytime dgram udp6 wait root internal
#time dgram udp wait root internal
#time dgram udp6 wait root internal
# RPC based services
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
Code:
/etc/rc.conf
#!/bin/sh -
#
# $OpenBSD: rc.conf,v 1.141 2011/02/12 11:21:01 ajacoutot Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
ldpd_flags=NO # for normal use: ""
ripd_flags=NO # for normal use: ""
mrouted_flags=NO # for normal use: "", if activated
# be sure to enable multicast_router below.
dvmrpd_flags=NO # for normal use: ""
ospfd_flags=NO # for normal use: ""
ospf6d_flags=NO # for normal use: ""
bgpd_flags=NO # for normal use: ""
rarpd_flags=NO # for normal use: "-a"
bootparamd_flags=NO # for normal use: ""
rbootd_flags=NO # for normal use: ""
sshd_flags="" # for normal use: ""
named_flags=NO # for normal use: ""
nsd_flags=NO # for normal use: ""
rdate_flags=NO # for normal use: [RFC868-host] or [-n RFC2030-host]
timed_flags=NO # for normal use: ""
ldattach_flags=NO # for normal use: "[options] linedisc cua-device"
ntpd_flags=NO # for normal use: ""
isakmpd_flags=NO # for normal use: ""
iked_flags=NO # for normal use: ""
sasyncd_flags=NO # for normal use: ""
mopd_flags=NO # for normal use: "-a"
apmd_flags=NO # for normal use: ""
dhcpd_flags=NO # for normal use: ""
dhcrelay_flags=NO # for normal use: "-i interface [server]"
rtadvd_flags=NO # for normal use: list of interfaces
# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO # for normal use: ""
# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO # for normal use: interface
# be sure to set net.inet6.ip6.forwarding=0
# be sure to set net.inet6.ip6.accept_rtadv=1
lpd_flags=NO # for normal use: "" (or "-l" for debugging)
sensorsd_flags=NO # for normal use: ""
hotplugd_flags=NO # for normal use: ""
watchdogd_flags=NO # for normal use: ""
ftpproxy_flags=NO # for normal use: ""
hostapd_flags=NO # for normal use: ""
ifstated_flags=NO # for normal use: ""
relayd_flags=NO # for normal use: ""
snmpd_flags=NO # for normal use: ""
smtpd_flags=NO # for normal use: ""
aucat_flags=NO # for normal use: ""
ldapd_flags=NO # for normal use: ""
# use -u to disable chroot, see httpd(8)
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
spamd_flags=NO # for normal use: "" and see spamd(8)
spamd_black=NO # set to YES to run spamd without greylisting
spamlogd_flags="" # use eg. "-i interface" and see spamlogd(8)
# Set to NO if ftpd is running out of inetd
ftpd_flags=NO # for non-inetd use: "-D"
# Set to NO if identd is running out of inetd
identd_flags=NO # for non-inetd use: "-b -elo"
# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO # for normal use: ""
# For enabling console mouse support (i386 alpha amd64)
wsmoused_flags=NO # for ps/2 or usb mice: "", serial: "-p /dev/cua00"
# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
[B]pf=NO # Packet filter / NAT[/B]
pf_rules="/etc/pf.conf"
[B]pflog_enable=NO[/B]
pflog_logfile="/var/log/pflog"
ipsec=NO # IPsec
bt=NO # Bluetooth
portmap=NO # Note: inetd(8) rpc services need portmap too
inetd=YES # almost always needed
check_quotas=YES # NO may be desirable in some YP environments
accounting=NO # process accounting (using /var/account/acct)
krb5_master_kdc=NO # KerberosV master KDC. Run 'info heimdal' for help.
krb5_slave_kdc=NO # KerberosV slave KDC.
afs=NO # mount and run afs
# Multicast routing configuration
# Please look at netstart(8) for a detailed description if you change these
multicast_host=NO # Route all multicast packets to a single interface
multicast_router=NO # A multicast routing daemon will be run, e.g. mrouted
# miscellaneous other flags
# only used if the appropriate server is marked YES above
savecore_flags= # "-z" to compress
ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
amd_master=/etc/amd/master # AMD 'master' map
syslogd_flags= # add more flags, e.g. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf # Packet filter rules file
ipsec_rules=/etc/ipsec.conf # IPsec rules file
bt_rules=/etc/bt.conf # Bluetooth rules file
pflogd_flags= # add more flags, e.g. "-s 256"
afsd_flags= # Flags passed to afsd
shlib_dirs= # extra directories for ldconfig, separated
# by space
# rc.d(8) daemons scripts
# started in the specified order and stopped in reverse order
rc_scripts=
local_rcconf="/etc/rc.conf.local"
[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line
Code:
/etc/sysctl.conf
# $OpenBSD: sysctl.conf,v 1.49 2011/02/16 10:37:45 mikeb Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
[B]net.inet.ip.forwarding=1[/B] # 1=Permit forwarding (routing) of IPv4 packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet.ip.multipath=1 # 1=Enable IP multipath routing
[B]net.inet.icmp.rediraccept=1[/B] # 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=0 # 0=Don't accept IPv6 ICMP redirects
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
#net.inet.carp.log=3 # log level of carp(4) info, default 2
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4 # Number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
#kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
#kern.splassert=2 # 2=Enable with verbose error messages
#kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32 # >0=Enable hardware watchdog(4) timer if available
#kern.watchdog.auto=0 # 0=Disable automatic watchdog(4) retriggering
machdep.allowaperture=2 # See xf86(4)
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
#machdep.lidsuspend=1 # laptop lid closes cause a suspend
#machdep.userldt=1 # allow userland programs to play with ldt,
# required by some ports
#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
#kern.emul.freebsd=1 # enable running FreeBSD binaries
#kern.emul.linux=1 # enable running Linux binaries
#kern.emul.svr4=1 # enable running SVR4 binaries
Code:
/etc/mygate
192.168.0.1
Code:
/etc/resolv.conf
search PF1.my.domain
nameserver 192.168.0.1
/etc/pf.conf habe ich erstmal aussen vorgelassen, da ich es durch "PF=NO" erstmal
deaktiviert habe.
Woran könnte es liegen, dass ich nicht vom einen in das andere Netz gelangen kann?
Brauche ich auf dem Packetfilter einen Routing-Dienst? Würde der nicht das
ganze Sicherheits-Konzept wieder zerhauen?
Vielen Dank für alle Antworten
Zuletzt bearbeitet von einem Moderator: