PF не открывает 25 порт

robik · Сообщение **robik** » 25 июл 2011, 11:28

в общем не отдается в мир 25 порт с таким конфигом. если дописываю пасс ани то ани на интерфейсах, не дает результата. сломал голову уже над этой бедой

Код: Выделить всё

##Intefaces
wan_if="rl0"
serv_if="rl1"
loc_if="dc0"


##NETWORKS

loc_net="192.168.1.0/24"
serv_net="xx.xx.xx.0/25"
home="{ xx.xx.xx.xx, xx.xx.xx.xx, xx.xx.xx.xx }"


##IP ADDRESSES

squid="xx.xx.xx.xx"
my="xx.xx.xx.xx"
server="xx.xx.xx.xx"
ipod="xx.xx.xx.xx"
mail="xx.xx.xx.xx"
atc="xx.xx.xx.xx"
file_serv="xx.xx.xx.xx"
aster="xx.xx.xx.xx"
toktom="212.42.110.9"
dns_elcat="{ 212.42.96.1, 212.42.96.2}"
soc_found="195.38.189.197"


##PORTS
icmp_types="{ echoreq, unreach}"
aster_ports="{ 22, 5060, 50601}"
chat_ports="{ 443, 5190}"
atc_ports="{ 5103}"
mail_ports="{ 25, 143, 110, 465, 993, 587}"
vnc_ports="{ 5800, 5900}"
toktom_ports="{ 8167, 8168}"




#NAT
nat on $wan_if from $serv_net to any port $chat_ports -> $wan_if
nat on $wan_if from $squid to any -> $wan_if
nat on $wan_if from $mail to any port $mail_ports -> $mail
nat on $wan_if from $mail to any port www -> $mail
nat on $wan_if from $loc_net to any port $chat_ports -> $wan_if
nat on $wan_if from $loc_net to any port $mail_ports -> $wan_if
nat on $wan_if from $my to any -> $my
nat on $wan_if from $loc_net to $soc_found -> $wan_if
nat on $wan_if from $home to any -> $wan_if
nat on $wan_if from $loc_net to any -> $wan_if
nat on $wan_if from $atc to any -> $atc
nat on $serv_if from $serv_net to any -> $serv_if

set skip on lo0
block log all

antispoof log quick for { lo0, $wan_if, $serv_if }
block all


block drop in log quick on { $serv_if, $wan_if, $loc_if } proto tcp from any to any port smtp
block drop log quick from <BRUTEFORCERS>


#Local traffic

pass out on $loc_if from any to $loc_net
pass in  on $loc_if from $loc_net to any

pass out on $serv_if from $loc_net to $serv_net
pass in  on $serv_if from $serv_net to any

pass out on $wan_if from $wan_if to any

pass in on $serv_if from $loc_net to $serv_net


############################SERVERS################################



####################DNS
pass in on $serv_if proto { tcp, udp} to port 53 keep state
pass in on $wan_if proto { tcp, udp} to port 53 keep state
pass out on $serv_if proto { tcp, udp} to port 53 keep state
pass out on $wan_if proto { tcp, udp} to port 53 keep state


#Updates
pass out on $wan_if from any to $soc_found keep state
pass out on $wan_if from any to 65.55.182.108 keep state
pass out on $wan_if from any to 213.199.149.228 keep state
pass out on $wan_if from any to 213.199.149.229 keep state
pass out on $wan_if proto { tcp, udp} from $mail port $toktom_ports keep state
pass in on $wan_if proto { tcp, udp} from $toktom to any port $toktom_ports keep state
pass in on $wan_if from 195.38.189.197 to any keep state


#Asterisk
pass out on $wan_if proto { tcp, udp} from $aster to any port $aster_ports keep state
pass in on $wan_if proto { tcp, udp} from any to $aster port $aster_ports


#Squid
pass out on $wan_if from $squid to any keep state

#MAIL

pass in on $serv_if proto { tcp, udp} from any to $mail port $mail_ports keep state
pass in on $serv_if proto { tcp, udp} from any to $mail port www keep state
pass out on $serv_if proto { tcp, udp} from any to $mail port $mail_ports keep state
pass out on $serv_if proto { tcp, udp} from any to $mail port www keep state

pass in on $wan_if proto { tcp, udp} from any to $mail port $mail_ports keep state
pass in on $wan_if proto { tcp, udp} from any to $mail port www keep state
pass out on $wan_if proto { tcp, udp} from any to $mail port $mail_ports keep state
pass out on $wan_if proto { tcp, udp} from any to $mail port www keep state


#ICMP
pass in on $wan_if proto icmp from any to $wan_if icmp-type $icmp_types keep state
pass in on $wan_if proto icmp from any to $serv_if icmp-type $icmp_types keep state


############################ALL################################


#All in
pass in on $serv_if from any to $my keep state
pass in on $wan_if from any to $my keep state
pass in on $wan_if from any to $atc keep state
pass in on $wan_if from $home to any keep state


#All out
pass out on $serv_if from any to $my keep state
pass out on $wan_if from $my to any keep state
pass out on $wan_if from $atc to any keep state
pass out on $loc_if from any to any keep state


############################Users################################


#USERS IN
pass in on $wan_if proto { tcp, udp} from any to $loc_net port $chat_ports keep state
pass in on $wan_if proto { tcp, udp} from any to $loc_net port $mail_ports keep state
pass in on $wan_if from any to $loc_net keep state


#USERS OUT
pass out on $wan_if proto { tcp, udp} from $loc_net port $chat_ports to any keep state
pass out on $wan_if proto { tcp, udp} from $loc_net port $mail_ports to any keep state
pass out on $wan_if from $loc_net to any keep state

############################Home################################


#Home traffic in
pass in on $wan_if from $home to any keep state
pass in on $serv_if from $home to any keep state


#Home traffic out
pass out on $wan_if from any to $home keep state
pass out on $serv_if from any to $home keep state

Raven · Сообщение **Raven** » 25 июл 2011, 11:47

robik писал(а):#NAT
nat on $wan_if from $serv_net to any port $chat_ports -> $wan_if
nat on $wan_if from $squid to any -> $wan_if
nat on $wan_if from $mail to any port $mail_ports -> $mail
nat on $wan_if from $mail to any port www -> $mail
nat on $wan_if from $loc_net to any port $chat_ports -> $wan_if
nat on $wan_if from $loc_net to any port $mail_ports -> $wan_if
nat on $wan_if from $my to any -> $my
nat on $wan_if from $loc_net to $soc_found -> $wan_if
nat on $wan_if from $home to any -> $wan_if
nat on $wan_if from $loc_net to any -> $wan_if
nat on $wan_if from $atc to any -> $atc
nat on $serv_if from $serv_net to any -> $serv_if

1.эта бойда натит только запросы изнутри наружу

robik писал(а): nat on $wan_if from $mail to any port $mail_ports -> $mail

2. Зачем эта кишка заворачивающая мылсерв на него же?

3. Нигде не вижу проброса портов с внешнего интерфейса на локальный серв.

Попробуй что-то вроде

Код: Выделить всё

rdr on $wan_if proto tcp from any to any port $mail_ports -> $mail

З.Ы. Офорляй пожалуйста посты правильно. У нас есть тег code, есть тег bash, да и оверпостниг не особо приветствуется. Свои сообщения можно редактировать)).

robik · Сообщение **robik** » 25 июл 2011, 11:57

Raven писал(а):1.эта бойда натит только запросы изнутри наружу

не совсем понял. необходимо так же занатить и из вне?

Raven писал(а):2. Зачем эта кишка заворачивающая мылсерв на него же?

хз, только что понял что бред

Raven писал(а):3. Нигде не вижу проброса портов с внешнего интерфейса на локальный серв.

Попробуй что-то вроде
Код: Выделить всё
rdr on $wan_if proto tcp from any to any port $mail_ports -> $mail

запрос то идет на адрес

Код: Выделить всё

$mail

robik · Сообщение **robik** » 25 июл 2011, 12:06

вот конфиг с которым все открывается, описание интерфейсов и потров идентичное первому

Код: Выделить всё

#NAT

nat on $wan_if from $serv_net to any port $chat_ports -> $wan_if
nat on $wan_if from $serv_net to any port $mail_ports -> $wan_if
nat on $wan_if from $squid to any -> $wan_if
nat on $wan_if from $mail to any port $mail_ports -> $mail
nat on $wan_if from $mail to any port www -> $mail
nat on $wan_if from $loc_net to any port $chat_ports -> $wan_if
nat on $wan_if from $loc_net to any port $mail_ports -> $wan_if
nat on $wan_if from $my to any -> $my
nat on $wan_if from $loc_net to $soc_found -> $wan_if
nat on $wan_if from $my to any -> $my
nat on $wan_if from $home to any -> $wan_if
nat on $wan_if from $loc_net to any -> $wan_if
nat on $wan_if from $atc to any -> $atc
nat on $serv_if from $serv_net to any -> $serv_if

#set block-policy return

set skip on lo0
block log all

#scrub in all

antispoof quick for $wan_if

################Rules###################

block all


#Local traffic

pass out on $loc_if from any to $loc_net
pass in  on $loc_if from $loc_net to any

pass out on $serv_if from $loc_net to $serv_net
pass in  on $serv_if from $serv_net to any

pass out on $wan_if from $wan_if to any


#####################SERVERS

####### out
pass out on $wan_if from any to any keep state
pass out on $serv_if  from any to any keep state

pass out on $loc_if from any to any keep state
pass out on $wan_if proto { tcp, udp} from $mail port www to any keep state
pass out on $wan_if from any to $dns_elcat keep state
pass out on $wan_if from $squid to any keep state
pass out on $wan_if from $server to any keep state
pass out on $wan_if from $file_serv to any keep state
pass out on $serv_if from $file_serv to any keep state
pass out on $serv_if from $server to any keep state
pass out on $wan_if proto icmp from $serv_net to any keep state
pass out on $wan_if from any to 195.38.189.197 keep state
pass out on $wan_if from any to 65.55.182.108 keep state
pass out on $wan_if from any to 213.199.149.228 keep statepass out on $wan_if from any to 213.199.149.229 keep state
pass out on $wan_if proto { tcp, udp} from $mail port www to any keep state
pass out on $wan_if proto { tcp, udp} from $mail port $mail_ports to any keep state
pass out on $wan_if proto { tcp, udp} from any port 53 to any keep state
pass out on $wan_if proto { tcp, udp} from $mail port $toktom_ports keep state
pass out on $wan_if from $my to any keep state
pass out on $wan_if from $atc to any keep state
pass out on $wan_if from $ipod to any keep state
pass out on $wan_if proto { tcp, udp} from $aster to any port $aster_ports keep state
pass out on $wan_if proto { tcp, udp} from any to $toktom port $toktom_ports keep state

####### IN
pass in on $wan_if from $dns_elcat to any keep state
pass in on $wan_if proto icmp from any to $server icmp-type $icmp_types keep state
pass in on $wan_if proto icmp from any to $wan_if icmp-type $icmp_types keep state
pass in on $wan_if proto icmp from any to $serv_if icmp-type $icmp_types keep state
pass in on $wan_if proto icmp from any to $my icmp-type $icmp_types keep state
pass in on $wan_if proto { tcp, udp} to $mail port www keep state
pass in on $wan_if proto { tcp, udp} to $mail port $mail_ports keep state
pass in on $serv_if from $dns_elcat to any
pass in on $wan_if proto { tcp, udp} from any to any port 53
pass in on $wan_if proto { tcp, udp} from $toktom to any port $toktom_ports keep state
pass in on $wan_if from 195.38.189.197 to any keep state
pass in on $wan_if proto { tcp, udp} from any to $aster port $aster_ports
pass in on $wan_if from any to $my keep state
pass in on $wan_if from any to $atc keep state
pass in on $wan_if from $home to any


#USERS

pass out on $wan_if proto { tcp, udp} from $loc_net port $chat_ports to any keep state
pass out on $wan_if proto { tcp, udp} from $loc_net port $mail_ports to any keep state
pass out on $wan_if from $loc_net to any keep state
pass in on $wan_if proto { tcp, udp} from any to $loc_net port $chat_ports keep state
pass in on $wan_if proto { tcp, udp} from any to $loc_net port $mail_ports keep state
pass in on $wan_if from any to $loc_net keep state

#home traffic
pass in on $wan_if from $home to any keep state
pass out on $wan_if from any to $home keep state
pass in on $serv_if from $home to any keep state
pass out on $serv_if from any to $home keep state

Raven · Сообщение **Raven** » 25 июл 2011, 12:11

robik писал(а):не совсем понял. необходимо так же занатить и из вне?

ну смотри, обьясню на пальцах:
Предположим едешь ты на машине, выехал из гаража, подьехал к пропускной фигне чтоб выехать со стоянки, тебе открывают шлагбаум и ты едешь по делам спокойно. Сделав дела ты возвращаешься назад, а за шлагбаумом нет дороги к твоему гаражу...

robik писал(а):запрос то идет на адрес
Код:$mail

а что у тебя соответствует переменной $mail?

mail="xx.xx.xx.xx"

Raven · Сообщение **Raven** » 25 июл 2011, 12:13

Стоп! У тебя мылсерв тоже на белом ипе?

robik · Сообщение **robik** » 25 июл 2011, 12:16

Raven писал(а):Стоп! У тебя мылсерв тоже на белом ипе?

ага

mail="212.42.111.***"

Raven · Сообщение **Raven** » 25 июл 2011, 12:30

тогда обрисуй пожалуйста структуру сетки, а то я никак понять не могу зачем с белого ипа натить на белый ип

robik · Сообщение **robik** » 25 июл 2011, 13:00

тогда так

wan_if= 212.42.96.*

Код: Выделить всё

##Intefaces
wan_if="rl0"
serv_if="rl1"
loc_if="dc0"


##NETWORKS

loc_net="192.168.1.0/24"
serv_net="212.42.*.*/25"



##IP ADDRESSES

squid="212.42.xx.x"
my="212.42.xx.y"
server="212.42.xx.z"
mail="212.42.xx.q"
file_serv="212.42.xx.t"
aster="212.42.xx.w"
toktom="212.42.110.9"
dns_elcat="{ 212.42.96.1, 212.42.96.2}"
soc_found="195.38.189.197"


##PORTS
icmp_types="{ echoreq, unreach}"
aster_ports="{ 22, 5060, 50601}"
chat_ports="{ 443, 5190}"
atc_ports="{ 5103}"
mail_ports="{ 25, 143, 110, 465, 993, 587}"
vnc_ports="{ 5800, 5900}"
toktom_ports="{ 8167, 8168}"

конфиг писался экспериментальный, первая моя машинка на никсе, после чего как заработало, я подзабил на это дело, но вот недавно приперло зарезать именно почтарь. оставить только нужное

PF не открывает 25 порт

PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт

Re: PF не открывает 25 порт