Jump to content
Калькуляторы

блокировка 25 порта

Здравствуйте !

 

Есть сервер

 

FreeBSD 8.2-RC2

он же выступает в роли шлюза для нета, и раздает пользователям в сети! + почтовый сервер ( postfix+courier-imap) + PostfixAdmin

его IP:

192.168.1.1

XX.XX.XX.94 - белый ІР

 

Пользователи входят в нет с XX.XX.XX.94 и на нем же работает почтовый сервер Postfix

 

Как в PF заблокировать доступ на 25 для локальной сети, и сделать белей список кому можно использовать 25 порт?

 

Я вот сделал так :

igb0 - внешний интерфейс

igb1 - локальный интерфейс

 

Вот строчки блокировки:

 

ext_if="igb0"
int_if="igb1"

table <mail> { 192.168.1.101, 192.168.1.103, 192.168.3.3, ХХ.ХХ.ХХ.189 )
#block port 25
block log on $int_if inet proto tcp from !<mail> to any port 25

 

# cat /etc/pf.conf | grep -v ^# | grep -v ^$
ext_ip="XX.XX.XX.57"
ext_ip2="XX.XX.XX.188"
ext_ip_dg1="WW.WW.WW.38"
ext_ip_dg2="10.67.2.34"
ext_gw="XX.XX.XX.93"
ext_gw_dg1="WW.WW.WW.37"
ext_gw_dg2="10.67.2.33"
ext_if="igb0"
ext_if2="fxp1"
ua9_if="vlan0"
ua9_ip="CC.CC.CC.50"
ua9_gw="CC.CC.CC.49"
int_if="igb1"
internal_net="192.168.1.2/22"
table <modems> { 192.168.0.50, 192.168.2.50 }
table <badhosts> persist
table <mail> { 192.168.1.101, 192.168.1.3, XX.XX.XX.189 }
table <realnet> persist { XX.XX.XX.76/28, RR.RR.RR.RR/30 }
table <limited> persist file "/etc/limited.conf"
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set limit { states 100000, frags 100000 }
set loginterface none
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
scrub in all
altq on igb1 bandwidth 300Mb cbq qlimit 1000 queue {std, admin, limited}
queue std bandwidth 45% cbq(default borrow red)
queue admin bandwidth 5% cbq(borrow red)
queue limited bandwidth 50% cbq(red)
nat on $ext_if from $internal_net to any -> ($ext_if:0)
nat on $ext_if2 from $internal_net to any -> {$ext_if2:0}
nat on $ua9_if from $internal_net to any -> {$ua9_if:0}
nat on $ua9_if from <realnet> to any -> {$ua9_if:0}
rdr on $ext_if proto tcp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015
rdr on $ext_if proto udp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015
rdr on $ext_if proto tcp from any to $ext_ip port 27025 -> 192.168.1.101 port 27025
rdr on $ext_if proto udp from any to $ext_ip port 27025 -> 192.168.1.101 port 27025
rdr on $ext_if proto tcp from any to $ext_ip port 27035 -> 192.168.1.101 port 27035
rdr on $ext_if proto udp from any to $ext_ip port 27035 -> 192.168.1.101 port 27035
pass out all
pass in all
pass in on $int_if from any to !192.168.1.1 keep state (max-src-conn 2000) queue std
pass in on $int_if from <limited> to !192.168.1.1 flags S/SA  keep state (max-src-conn 600) queue limited
pass in on $int_if from 192.168.1.3 to <modems> queue admin
block log on $int_if inet proto tcp from !<mail> to any port 25
block log on $ext_if from <badhosts> to any

 

inet# ifconfig
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
           ether 00:8b:13:4a:5e:b3
           inet XX.XX.XX.57 netmask 0xfffffffc broadcast XX.XX.XX.58
           media: Ethernet autoselect (1000baseT <full-duplex>)
           status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
           ether 00:8b:13:4a:5e:b4
           inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
           inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
           inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
           inet XX.XX.XX.77 netmask 0xfffffff0 broadcast  XX.XX.XX.191
           inet 192.168.100.100 netmask 0xffffff00 broadcast 192.168.100.255
           media: Ethernet autoselect (1000baseT <full-duplex>)
           status: active
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
           ether 00:1c:c0:01:3b:66
           media: Ethernet autoselect (10baseT/UTP <half-duplex>)
           status: no carrier
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
           ether 00:1b:21:50:0b:af
           media: Ethernet autoselect (100baseTX <full-duplex>)
           status: active
fxp0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
           ether 00:d0:b7:29:1e:8b
           media: Ethernet autoselect (none)
           status: no carrier
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
           ether 00:02:b3:d7:00:c7
           inet WW.WW.WW.38 netmask 0xfffffffc broadcast WW.WW.WW.39
           media: Ethernet autoselect (none)
           status: no carrier
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
           options=3<RXCSUM,TXCSUM>
           inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
           inet6 ::1 prefixlen 128
           inet 127.0.0.1 netmask 0xff000000
           nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
pfsync0: flags=0<> metric 0 mtu 1460
           syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33200
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=3<RXCSUM,TXCSUM>
           ether 00:1b:21:50:0b:af
           inet PP.PP.PP.150 netmask 0xfffffffc broadcast PP.PP.PP.151
           media: Ethernet autoselect (100baseTX <full-duplex>)
           status: active
           vlan: 78 parent interface: em0

 

Подскажите Как решить ?

Share this post


Link to post
Share on other sites

Подскажите Как решить ?

Это не работает?

pass in all

...

block log on $int_if inet proto tcp from !<mail> to any port 25

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this