Routing Problematik

M

_markus

Hallo und guten Abend.

Im Rahmen eines Projektes möchte ich eine Firewall konstruieren.
Dazu verwende ich 3 Thin Clients, die in Reihe geschaltet die Funktionen:

[Packetfilter]---[Application Gateway]---[Packetfilter]

übernehmen sollen.

Ein sogenanntes Screened Subnet, wie hier beschrieben:

Grafik von: kes.info/lexikon/lexdata/firewall.htm
http://i51.tinypic.com/nz2b7p.png

Als ersten Schritte habe ich nun einen der Thin Clients unter OpenBSD aufgesetzt.
Diesen habe ich nun zwischen LAN und Modem geschaltet.

Topologie:

[LAN]---[Packetfilter]---[Modem]

Ip-Adressen:
LAN Grün (rl0) Rot (vr0) (Modem)
[141.18.253.(1-19)]---[141.18.253.254/192.168.0.254]---[192.168.0.1]

Konfiguration:
LAN: [Gateway:141.18.253.254,DNS:141.18.253.254]
Packetfilter: [Gateway:192.168.0.1,DNS:192.168.0.1]

Vom Lan kann ich nun auf die Grüne/Rote Schnittstelle des Filters pingen,
doch nicht darüber hinaus.

Bevor ich mit der Filter-Funktion beginne, möchte ich generell vom LAN zum
Modem routen können, dazu habe ich "PF" deaktiviert.

Meine OpenBSD Konfiguration ist die folgende:
Code: 
/etc/hostname.vr0
inet 141.18.253.69 255.255.255.0 NONE

Code: 
/etc/hostname.rl0
inet 192.168.0.254 255.255.0.0 NONE


Code: 
/etc/inetd.conf
#	$OpenBSD: inetd.conf,v 1.59 2005/11/16 09:20:22 camield Exp $
#
# Internet server configuration database
#
# define *both* IPv4 and IPv6 entries for dual-stack support.
#
#ftp		stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -US
#ftp		stream	tcp6	nowait	root	/usr/libexec/ftpd	ftpd -US
#shell		stream	tcp	nowait	root	/usr/libexec/rshd	rshd -L
#shell		stream	tcp6	nowait	root	/usr/libexec/rshd	rshd -L
#uucpd		stream	tcp	nowait	root	/usr/libexec/uucpd	uucpd
#uucpd		stream	tcp6	nowait	root	/usr/libexec/uucpd	uucpd
#finger		stream	tcp	nowait	_fingerd /usr/libexec/fingerd	fingerd -lsm
#finger		stream	tcp6	nowait	_fingerd /usr/libexec/fingerd	fingerd -lsm
ident		stream	tcp	nowait	_identd	/usr/libexec/identd	identd -el
ident		stream	tcp6	nowait	_identd	/usr/libexec/identd	identd -el
#tftp		dgram	udp	wait	root	/usr/libexec/tftpd	tftpd -s /tftpboot
#tftp		dgram	udp6	wait	root	/usr/libexec/tftpd	tftpd -s /tftpboot
127.0.0.1:comsat dgram	udp	wait	root	/usr/libexec/comsat	comsat
[::1]:comsat	dgram	udp6	wait	root	/usr/libexec/comsat	comsat
#ntalk		dgram	udp	wait	root	/usr/libexec/ntalkd	ntalkd
#pop3		stream	tcp	nowait	root	/usr/sbin/popa3d	popa3d
#pop3		stream	tcp6	nowait	root	/usr/sbin/popa3d	popa3d
# Internal services
#echo		stream	tcp	nowait	root	internal
#echo		stream	tcp6	nowait	root	internal
#discard	stream	tcp	nowait	root	internal
#discard	stream	tcp6	nowait	root	internal
#chargen	stream	tcp	nowait	root	internal
#chargen	stream	tcp6	nowait	root	internal
daytime		stream	tcp	nowait	root	internal
daytime		stream	tcp6	nowait	root	internal
time		stream	tcp	nowait	root	internal
time		stream	tcp6	nowait	root	internal
#echo		dgram	udp	wait	root	internal
#echo		dgram	udp6	wait	root	internal
#discard	dgram	udp	wait	root	internal
#discard	dgram	udp6	wait	root	internal
#chargen	dgram	udp	wait	root	internal
#chargen	dgram	udp6	wait	root	internal
#daytime	dgram	udp	wait	root	internal
#daytime	dgram	udp6	wait	root	internal
#time		dgram	udp	wait	root	internal
#time		dgram	udp6	wait	root	internal
# RPC based services
#rstatd/1-3	dgram	rpc/udp	wait	root	/usr/libexec/rpc.rstatd	rpc.rstatd
#rusersd/1-3	dgram	rpc/udp	wait	root	/usr/libexec/rpc.rusersd rpc.rusersd
#walld/1	dgram	rpc/udp	wait	root	/usr/libexec/rpc.rwalld	rpc.rwalld
#sprayd/1	dgram	rpc/udp	wait	root	/usr/libexec/rpc.sprayd	rpc.sprayd
#rquotad/1	dgram	rpc/udp	wait	root	/usr/libexec/rpc.rquotad rpc.rquotad

Code: 
/etc/rc.conf
#!/bin/sh -
#
#	$OpenBSD: rc.conf,v 1.141 2011/02/12 11:21:01 ajacoutot Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
ldpd_flags=NO		# for normal use: ""
ripd_flags=NO		# for normal use: ""
mrouted_flags=NO	# for normal use: "", if activated
			# be sure to enable multicast_router below.
dvmrpd_flags=NO		# for normal use: ""
ospfd_flags=NO		# for normal use: ""
ospf6d_flags=NO		# for normal use: ""
bgpd_flags=NO		# for normal use: ""
rarpd_flags=NO		# for normal use: "-a"
bootparamd_flags=NO	# for normal use: ""
rbootd_flags=NO		# for normal use: ""
sshd_flags=""		# for normal use: ""
named_flags=NO		# for normal use: ""
nsd_flags=NO		# for normal use: ""
rdate_flags=NO		# for normal use: [RFC868-host] or [-n RFC2030-host]
timed_flags=NO		# for normal use: ""
ldattach_flags=NO	# for normal use: "[options] linedisc cua-device"
ntpd_flags=NO		# for normal use: ""
isakmpd_flags=NO	# for normal use: ""
iked_flags=NO		# for normal use: ""
sasyncd_flags=NO	# for normal use: ""
mopd_flags=NO		# for normal use: "-a"
apmd_flags=NO		# for normal use: ""
dhcpd_flags=NO		# for normal use: ""
dhcrelay_flags=NO	# for normal use: "-i interface [server]"
rtadvd_flags=NO		# for normal use: list of interfaces
			# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO	# for normal use: ""
			# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO		# for normal use: interface
			# be sure to set net.inet6.ip6.forwarding=0
			# be sure to set net.inet6.ip6.accept_rtadv=1
lpd_flags=NO		# for normal use: "" (or "-l" for debugging)
sensorsd_flags=NO	# for normal use: ""
hotplugd_flags=NO	# for normal use: ""
watchdogd_flags=NO	# for normal use: ""
ftpproxy_flags=NO	# for normal use: ""
hostapd_flags=NO	# for normal use: ""
ifstated_flags=NO	# for normal use: ""
relayd_flags=NO		# for normal use: ""
snmpd_flags=NO		# for normal use: ""
smtpd_flags=NO		# for normal use: ""
aucat_flags=NO		# for normal use: ""
ldapd_flags=NO		# for normal use: ""

# use -u to disable chroot, see httpd(8)
httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))

# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
spamd_flags=NO		# for normal use: "" and see spamd(8)
spamd_black=NO		# set to YES to run spamd without greylisting
spamlogd_flags=""	# use eg. "-i interface" and see spamlogd(8)

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO		# for non-inetd use: "-D"

# Set to NO if identd is running out of inetd
identd_flags=NO		# for non-inetd use: "-b -elo"

# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO		# for normal use: ""

# For enabling console mouse support (i386 alpha amd64)
wsmoused_flags=NO	# for ps/2 or usb mice: "", serial: "-p /dev/cua00"

# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO		# see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
[B]pf=NO			# Packet filter / NAT[/B]
pf_rules="/etc/pf.conf"
[B]pflog_enable=NO[/B]
pflog_logfile="/var/log/pflog"

ipsec=NO		# IPsec
bt=NO			# Bluetooth
portmap=NO		# Note: inetd(8) rpc services need portmap too
inetd=YES		# almost always needed
check_quotas=YES	# NO may be desirable in some YP environments
accounting=NO		# process accounting (using /var/account/acct)

krb5_master_kdc=NO	# KerberosV master KDC. Run 'info heimdal' for help.
krb5_slave_kdc=NO	# KerberosV slave KDC.
afs=NO			# mount and run afs

# Multicast routing configuration
# Please look at netstart(8) for a detailed description if you change these
multicast_host=NO	# Route all multicast packets to a single interface
multicast_router=NO	# A multicast routing daemon will be run, e.g. mrouted

# miscellaneous other flags
# only used if the appropriate server is marked YES above
savecore_flags=			# "-z" to compress
ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO		# "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
amd_master=/etc/amd/master	# AMD 'master' map
syslogd_flags=			# add more flags, e.g. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf		# Packet filter rules file
ipsec_rules=/etc/ipsec.conf	# IPsec rules file
bt_rules=/etc/bt.conf		# Bluetooth rules file
pflogd_flags=			# add more flags, e.g. "-s 256"
afsd_flags=			# Flags passed to afsd
shlib_dirs=			# extra directories for ldconfig, separated
				# by space

# rc.d(8) daemons scripts
# started in the specified order and stopped in reverse order
rc_scripts=

local_rcconf="/etc/rc.conf.local"

[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line


Code: 
/etc/sysctl.conf
#	$OpenBSD: sysctl.conf,v 1.49 2011/02/16 10:37:45 mikeb Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
[B]net.inet.ip.forwarding=1[/B]	# 1=Permit forwarding (routing) of IPv4 packets
#net.inet.ip.mforwarding=1	# 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet.ip.multipath=1	# 1=Enable IP multipath routing
[B]net.inet.icmp.rediraccept=1[/B]	# 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=0	# 0=Don't accept IPv6 ICMP redirects
#net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.mforwarding=1	# 1=Permit forwarding (routing) of IPv6 multicast packets
#net.inet6.ip6.multipath=1	# 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0		# 0=Disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.tcp.rfc3390=0		# 0=Disable RFC3390 for TCP window increasing
#net.inet.esp.enable=0		# 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0		# 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0	# 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1	# 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1	# 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1		# 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1	# 1=Enable carp(4) preemption
#net.inet.carp.log=3		# log level of carp(4) info, default 2
#ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
#ddb.console=1			# 1=Permit entry of ddb from the console
#fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0	# 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4		# Number of nfsio kernel threads
#net.inet.ip.mtudisc=0		# 0=Disable tcp mtu discovery
#kern.usercrypto=1		# 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1		# 1=Permit userland to do asymmetric crypto
#kern.splassert=2		# 2=Enable with verbose error messages
#kern.nosuidcoredump=2		# 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32	# >0=Enable hardware watchdog(4) timer if available
#kern.watchdog.auto=0		# 0=Disable automatic watchdog(4) retriggering
machdep.allowaperture=2		# See xf86(4)
#machdep.apmhalt=1		# 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt
#machdep.lidsuspend=1		# laptop lid closes cause a suspend
#machdep.userldt=1		# allow userland programs to play with ldt,
				# required by some ports
#kern.emul.aout=1		# enable running dynamic OpenBSD a.out bins
#kern.emul.freebsd=1		# enable running FreeBSD binaries
#kern.emul.linux=1		# enable running Linux binaries
#kern.emul.svr4=1		# enable running SVR4 binaries

Code: 
/etc/mygate
192.168.0.1

Code: 
/etc/resolv.conf
search PF1.my.domain
nameserver 192.168.0.1

/etc/pf.conf habe ich erstmal aussen vorgelassen, da ich es durch "PF=NO" erstmal
deaktiviert habe.

Woran könnte es liegen, dass ich nicht vom einen in das andere Netz gelangen kann?

Brauche ich auf dem Packetfilter einen Routing-Dienst? Würde der nicht das
ganze Sicherheits-Konzept wieder zerhauen?

Vielen Dank für alle Antworten
 
Zuletzt bearbeitet von einem Moderator:
Anmelden, um zu antworten.

Ähnliche Themen

NGINX bietet intern abgerufene Seiten nur zum Download an, extern geht's
NGINX bietet intern abgerufene Seiten nur zum Download an, extern geht's: Moin, liebe Gemeinde! Manchmal ist man ja zu blöd oder sieht den Wald vor lauter Bäumen nicht mehr. Weshalb ich jetzt einfach mal hier nachfrage...

Nginx als Reverse Proxy für Nextcloud und Emby
Nginx als Reverse Proxy für Nextcloud und Emby: Hallo, wie der Titel schon sagt möchte ich Nginx als Reverse Proxy für Nextcloud und Emby verwenden. Für Nextcloud habe ich aus einer Anleitung eine neue...

Zugriff Ubuntu 16.04. auf Freigabe 18.04. LTS nicht möglich
Zugriff Ubuntu 16.04. auf Freigabe 18.04. LTS nicht möglich: Hallo, ich habe meinen Fileserver erneuern müssen, Umstellung auf 18.04. LTS! Ich habe eine Freigabe auf dem Fileserver A = FreigabeServer erstellt. Es...

ip6tables Problem
ip6tables Problem: Hallo zusammen, ich hab ein Problem kann aber keinen Fehler finden, äußert sich wie folgt, ich habe endlich für ein System in Netz eine IPv6 bekommen und...

Samba Dateien und Ordner verschieben
Samba Dateien und Ordner verschieben: Moin, Ich verwende für mein Server OpenMediaVault (=Debian-System). Mein OMV hat kein Raid. Ich habe einen User "SMBadmin" angelegt. Bei diesem habe...

Neueste Themen

Zurück
Oben