GUG | Je demande un petit peu d'aide, avec pf je ne comprends pas.
J'ai le réseau suivant
réseau du lycée
|
|
serveurs (squid, dns, ldap, ...) ---------- openbsd ------------- CLIENT 1
\--------------- CLIENT 2
Mon problème est le suivant :
1/lorsque je bloque par defaut, nat "non-activé", et authorise certaines choses, les clients ne peuvent pas communiquer avec les serveurs. Sur les clients j'ai le message d'erreur no route to host
2/lorsque le laisse tout passer les serveurs peuvent communiquer avec les serveurs (je suppose que la table de routage est donc correct)
3/lorsque je bloque par defaut, acvtive le nat, et authorise certaines choses, les clients peuvent communiquer avec les serveurs
Je ne comprend pas pourquoi j'ai no route to host, j'ai surement du oublier qq chose mais je cherche dans la doc et je ne trouve pas 
et voila le firewall :
Code :
- #interfaces
- loop= "lo0"
- net_if= "de0"
- lan_if= "vr0"
- dmz_if= "vr1"
- #network
- lan= "192.168.1.0/24"
- dmz= "192.168.0.0/24"
- #machine
- proxy= "192.168.0.6"
- #comportement par defaut
- set block-policy drop
- #normalisation des paquets
- scrub in all
- #definition des ports
- tcp_dmz_net = "{ 80, 443 }"
- #udp_dmz_net = "{ 53 }"
- tcp_lan_dmz = "{ 3128, 22, 5432, 389, 923, 2049, 111 }"
- udp_lan_dmz = "{ 53, 111, 2049, 923 }"
- #adresse non routable
- #NO_route= "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
- NO_route= "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
- #-------------NAT aka TRANSLATION --------------------#
- #du proxy vers internet
- nat on $net_if from $proxy to any -> $net_if
- #des clients vers les serveurs/dmz
- #nat on $dmz_if from $lan to $dmz -> $dmz_if
- #des serveurs ver le lan
- #nat on $lan_if from $dmz to $lan -> $lan_if
- #-------------REGLE DE FILTRAGE-----------------#
- #pass all
- block all
- #Antispoof
- #antispoof for $loop inet
- #antispoof for $net_if inet
- #Accepte pour le loop
- pass in quick on $loop all
- pass out quick on $loop all
- #Bloque les scans nmap et les tentatives de prise d'empreinte de la pile tcp/ip
- block in log quick on $net_if inet proto tcp from any to any flags FUP/FUP
- block in log quick on $net_if inet proto tcp from any to any flags SF/SFRA
- block in log quick on $net_if inet proto tcp from any to any flags/SFRA
- #On bloque les adresses non routables
- block in log quick on $net_if from $NO_route to any
- block out log quick on $net_if from any to $NO_route
- #--------------LOCAL --------------------------#
- #Accepte les connections ssh sur lan_if et dmz_if
- pass in log quick on $lan_if inet proto tcp from $lan to $lan_if port 22 modulate state
- pass in log quick on $dmz_if inet proto tcp from $dmz to $dmz_if port 22 modulate state
- #----------- PROXY vers exterieur ----------------#
- #TCP tcp_dmz_net
- pass in quick on $dmz_if inet proto tcp from $proxy to any port $tcp_dmz_net modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port $tcp_dmz_net modulate state
- #UDP udp_dmz_net DNS
- pass in quick on $dmz_if inet proto udp from $proxy to any port 53 keep state
- pass out quick on $net_if inet proto udp from $net_if to any port 53 keep state
- #FTP
- pass in quick on $dmz_if inet proto tcp from $proxy to any port 21 modulate state
- pass in quick on $dmz_if inet proto tcp from $proxy to any port >1024 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port 21 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port >1024 modulate state
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 8 code 0 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 11 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 11 keep state
- #------------ LAN VERS DMZ ---------------------#
- #TCP tcp_lan_dmz
- pass in quick on $lan_if inet proto tcp from $lan to $dmz port $tcp_lan_dmz modulate state
- pass out quick on $dmz_if inet proto tcp from $dmz_if to $dmz port $tcp_lan_dmz modulate state
- #ICMP
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
- pass out quick on $dmz_if inet proto icmp from $dmz_if to $dmz icmp-type 8 code 0 keep state
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
- pass out quick on $dmz_if inet proto icmp from $dmz_if to $dmz icmp-type 11 keep state
- #UDP DNS
- pass in quick on $lan_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
- pass out quick on $dmz_if inet proto udp from $dmz_if to $proxy port $udp_lan_dmz keep state
- # ------------ DMZ vers LAN ------------------#
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 8 code 0 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 11 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 11 keep state
- #SSH
- pass in quick on $dmz_if inet proto tcp from $dmz to $lan port 22 modulate state
- pass out quick on $lan_if inet proto tcp from $lan_if to $lan port 22 modulate state
- #----------------- DHCRELAY ------------------#
- pass in quick on $lan_if inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 keep state
- #pass out quick on $lan_if inet proto udp from $lan_if port 67 to any port 68
- #pass in quick on $dmz_if inet proto udp from 192.168.0.6 to $dmz_if port 67
- pass out quick on $dmz_if inet proto udp from $dmz_if port 67 to 192.168.0.6 port 67 keep state
|
merci d'avance
|
