[fli4l] fli4l 3.6.2 - IP blocken
Ulrich Hupe
Ulrich.Hupe at t-online.de
Do Feb 14 13:38:59 CET 2013
Am 14.02.2013 11:48, schrieb Carsten Spieß:
> Hallo Ulrich,
>
>> PF_FORWARD_1='69.171.0.0/16 192.168.154.4 REJECT BIDIRECTIONAL'
> warum jetzt 69.171.0.0/16 bisher war's 150.70.0.0/16 ?
>
>> tut aber nicht.
>> da muß noch ein grundlegendes Problem sein ??
>
> poste doch mal die _kompletten_ Firewallregeln, dann könnten wir eher
> sehen wo's sich beißt.
>
> Gruß
>
> Carsten
>
ok, hier die komplette Regel
extra Prerouting verwende ich nicht.
Gruß,
Ulrich
##########################################################################################
PF_NEW_CONFIG='yes' # new style packet filter config
PF_INPUT_POLICY='REJECT' # be nice and use reject as policy
PF_INPUT_ACCEPT_DEF='yes' # use default rule set
PF_INPUT_LOG='yes' # don't log anything
PF_INPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a
# burst of 5 events
PF_INPUT_REJ_LIMIT='1/second:5' # reject 1 connection per
second; allow
# a burst of 5 events; otherwise
# drop packet
PF_INPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per
second; allow
# a burst of 5 events;
otherwise drop
# packet
PF_INPUT_N='12'
PF_INPUT_1='150.70.0.0/16 DROP' #Trendmicro Japan
PF_INPUT_2='216.104.15.0/24 DROP' #Trendmico Kalifornien
PF_INPUT_3='69.171.0.0/16 DROP' #facebook
PF_INPUT_4='173.252.0.0/16 DROP' #facebook
PF_INPUT_5='83.236.140.90 DROP' #Bundestrojaner
PF_INPUT_6='207.158.22.134 DROP' #Bundestrojaner
PF_INPUT_7='210.41.224.0/20 DROP' #
PF_INPUT_8='60.30.32.0/24 DROP' #
PF_INPUT_9='125.64.16.0/24 DROP' #
PF_INPUT_10='IP_NET_1 ACCEPT' # allow all hosts in the
local network access to the router
PF_INPUT_11='tmpl:dns IP_NET_2 ACCEPT' #kein Zugriff von Netz 2
auf den Router daher nur template dns
PF_INPUT_12='tmpl:smtp IP_NET_2 ACCEPT' #mail port 25
#PF_INPUT_2='tmpl:samba DROP NOLOG' # drop (or reject)
samba access
#PF_INPUT_2_COMMENT='no samba traffic allowed' # without logging,
otherwise
# the log file will
be filled
# with useless entries
# Zugriff auf das ''Internet''
PF_FORWARD_POLICY='REJECT' # be nice and use reject as
policy
PF_FORWARD_ACCEPT_DEF='yes' # use default rule set
PF_FORWARD_LOG='yes' # don't log anything
PF_FORWARD_LOG_LIMIT='3/minute:5' # log 3 events per minute;
allow a
# burst of 5 events
PF_FORWARD_REJ_LIMIT='1/second:5' # reject 1 connection per
second; allow
# a burst of 5 events;
otherwise
# drop packet
PF_FORWARD_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per
second;
# allow a burst of 5 events;
# otherwise drop packet
PF_FORWARD_N='21'
PF_FORWARD_1='150.70.0.0/16 192.168.154.4 DROP BIDIRECTIONAL'
#Trendmicro Japan
PF_FORWARD_2='216.104.15.0/24 192.168.154.4 DROP BIDIRECTIONAL'
#Trendmico Kalifornien
PF_FORWARD_3='210.41.224.0/20 192.168.154.4 DROP BIDIRECTIONAL' #
PF_FORWARD_4='60.30.32.0/24 192.168.154.4 DROP BIDIRECTIONAL' #
PF_FORWARD_5='125.64.16.0/24 192.168.154.4 DROP BIDIRECTIONAL' #
PF_FORWARD_6='173.252.0.0/16 192.168.154.4 REJECT BIDIRECTIONAL'
#facebook
PF_FORWARD_7='69.171.0.0/16 192.168.154.4 REJECT BIDIRECTIONAL'
#facebook
PF_FORWARD_8='66.220.0.0/16 192.168.154.4 REJECT BIDIRECTIONAL'
#facebook
PF_FORWARD_9='83.236.140.90 DROP'
#Bundestrojaner
PF_FORWARD_10='207.158.22.134 DROP'
#Bundestrojaner
PF_FORWARD_11='192.168.54.3 192.168.154.2 ACCEPT BIDIRECTIONAL'
#Zugriff auf 3 nur mit 2
PF_FORWARD_12='192.168.54.3 192.168.154.4 ACCEPT BIDIRECTIONAL'
#Zugriff auf eis2 nur mit 3
PF_FORWARD_13='192.168.54.3 192.168.154.5 ACCEPT BIDIRECTIONAL'
#Zugriff auf eis (alt) nur mit 3
PF_FORWARD_14='192.168.54.3 192.168.154.6 ACCEPT BIDIRECTIONAL'
#Zugriff auf 6 nur mit 3
PF_FORWARD_15='192.168.54.3 192.168.154.7 ACCEPT BIDIRECTIONAL'
#Zugriff auf 7 nur mit 3
PF_FORWARD_16='192.168.54.3 192.168.154.8 ACCEPT BIDIRECTIONAL'
#Zugriff auf 8 nur mit 3
PF_FORWARD_17='192.168.54.3 192.168.154.41 ACCEPT BIDIRECTIONAL'
#Zugriff auf EIS2 privat nur mit Media
PF_FORWARD_18='IP_NET_1 IP_NET_2 REJECT BIDIRECTIONAL'
#kein Austausch zwischen den Netzen
PF_FORWARD_19='tmpl:samba DROP' #
drop samba traffic if it tries to leave the subnet
PF_FORWARD_20='IP_NET_1 ACCEPT' #
accept everything else
PF_FORWARD_21='IP_NET_2 ACCEPT' #
accept everything else
#PF_FORWARD_1='tmpl:samba DROP' # drop samba traffic if it
tries to leave the subnet
#PF_FORWARD_2='IP_NET_1 ACCEPT' # accept everything else
# Maskieren des lokalen Netzes
PF_POSTROUTING_N='2'
PF_POSTROUTING_1='IP_NET_1 MASQUERADE' # masquerade traffic
leaving the subnet
PF_POSTROUTING_2='IP_NET_2 MASQUERADE' # masquerade traffic
leaving the subnet
PF_PREROUTING_N='0'
PF_PREROUTING_1='1.2.3.4 dynamic:22 DNAT:@client2'
# forward ssh connections
# coming from 1.2.3.4 to
client2
PF_USR_CHAIN_N='0'
#------------------------------------------------------------------------------
und noch das Portforwarding:
PORTFW_6_TARGET='16490' # : forward ext. port 16490 für EIS
PORTFW_6_NEW_TARGET='192.168.154.4' # ...to int. host 192.168.154.xx
PORTFW_6_PROTOCOL='tcp' # ...using tcp
Mehr Informationen über die Mailingliste Fli4L