News: This forum is now permanently frozen.
Pages: [1]
Topic: Regel greifen nicht am OPT Interface  (Read 2378 times)
« on: January 02, 2011, 18:00:43 »
redy *
Posts: 7

hallo,

meine config:

m0n0wall
LAN: 192.168.1.1/30 (Transportnetz zum WLAN Router)
DMZ: 192.168.3.1/24

Rules:
LAN Ruleset:
Block Proto: * ; Source: * ; Port: * ; Dest: DMZ ; Prot: *        >> Block DMZ Traffic to LAN
Permit Proto: * ; Source: LAN ; Port: * ; Dest: !DMZ ; Prot: * >> permit DMZ to any but not LAN 
deny all

DMZ Ruleset:
Block Proto: * ; Source: * ; Port: * ; Dest: LAN ; Prot: *         >> Block LAN Traffic to DMZ
Permit Proto: * ; Source: DMZ ; Port: * ; Dest: !LAN ; Prot: * >> permit LAN to any but not DMZ
deny all

Das Problem ist, das ich vom LAN aus alles mittels Regeln schalten kann. Funktioniert wie gewuenscht.
Wenn ich allerdings am DMZ Interface Regeln setze, greift nichts.
Auch mit o.g. Grundkonfiguration kann ich vom DMZ aus per SSH auf das LAN zugreifen, was ja eigentlich nicht sein kann.

Hat irgendwer eine Idee woran das liegen mag?

lg
redy
« Reply #1 on: January 02, 2011, 18:05:35 »
Manuel Kasper
Administrator
*****
Posts: 364

Das sollte in der Tat nicht sein. Kannst du mal die Ausgabe von http://m0n0wall/status.php posten, besonders die Abschnitte "ipfstat -nio" und "unparsed ipfilter rules"?
« Reply #2 on: January 02, 2011, 18:11:21 »
redy *
Posts: 7

wow, das ging ja schnell  Grin

ipfstat -nio

Code:
@1 pass out quick on lo0 all
@2 pass out quick on vr0 proto udp from 192.168.1.1/32 port = bootps to any port = bootpc
@3 pass out quick on vr1 proto udp from any port = bootpc to any port = bootps
@4 pass out quick on vr0 all keep state
@5 pass out quick on vr1 all keep state
@6 pass out quick on vr2 all keep state
@7 block out log quick all
@1 pass in quick on lo0 all
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopts
@4 pass in quick on vr0 proto udp from any port = bootpc to 255.255.255.255/32 port = bootps
@5 pass in quick on vr0 proto udp from any port = bootpc to 192.168.1.1/32 port = bootps
@6 block in log quick on vr1 from 192.168.1.0/30 to any
@7 block in log quick on vr1 from 192.168.3.0/24 to any
@8 block in log quick on vr1 proto udp from any port = bootps to 192.168.1.0/30 port = bootpc
@9 pass in quick on vr1 proto udp from any port = bootps to any port = bootpc
@10 block in log quick on vr0 from !192.168.1.0/30 to any
@11 block in log quick on vr2 from !192.168.3.0/24 to any
@12 block in log quick on vr1 from 10.0.0.0/8 to any
@13 block in log quick on vr1 from 127.0.0.0/8 to any
@14 block in log quick on vr1 from 172.16.0.0/12 to any
@15 block in log quick on vr1 from 192.168.0.0/16 to any
@16 skip 1 in proto tcp from any to any flags S/FSRA
@17 block in log quick proto tcp from any to any
@18 block in log quick on vr0 all head 100
@19 block in log quick on vr1 all head 200
@20 block in log quick on vr2 all head 300
@21 block in log quick all
# Group 100
@1 pass in quick from 192.168.1.0/30 to 192.168.1.1/32 keep state group 100
@2 block in log first quick from any to 192.168.3.0/24 group 100
@3 pass in log first quick from 192.168.1.0/30 to !192.168.3.0/24 keep state group 100
@4 block in quick from any to any group 100
# Group 200
@1 pass in log first quick proto icmp from any to 84.113.148.94/32 keep state group 200
@2 block in log first quick proto tcp/udp from 162.25.235.92/32 to any group 200
@3 block in log first quick from any to any group 200
# Group 300
@1 block in log first quick from any to 192.168.1.2/32 group 300
@2 pass in log first quick from 192.168.3.0/24 to !192.168.1.2/32 keep state group 300
@3 block in log first quick proto icmp from any to any group 300
@4 block in quick from any to any group 300


unparsed ipfilter rules:

Code:
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on vr0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on vr0 proto udp from any port = 68 to 192.168.1.1 port = 67
pass out quick on vr0 proto udp from 192.168.1.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on vr1 from 192.168.1.0/30 to any
block in log quick on vr1 from 192.168.3.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on vr1 proto udp from any port = 68 to any port = 67
block in log quick on vr1 proto udp from any port = 67 to 192.168.1.0/30 port = 68
pass in quick on vr1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on vr0 from ! 192.168.1.0/30 to any
block in log quick on vr2 from ! 192.168.3.0/24 to any

# block anything from private networks on WAN interface
block in log quick on vr1 from 10.0.0.0/8 to any
block in log quick on vr1 from 127.0.0.0/8 to any
block in log quick on vr1 from 172.16.0.0/12 to any
block in log quick on vr1 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on vr0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vr0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on vr1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vr1 all keep state

#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on vr2 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vr2 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.1.0/30 to 192.168.1.1 keep state group 100

# User-defined rules follow
pass in log first quick proto icmp from any to 84.113.148.94 keep state group 200
block in log first quick proto tcp/udp from 162.25.235.92 to any group 200
block in log first quick from any to any group 200
block in log first quick from any to 192.168.1.2 group 300
pass in log first quick from 192.168.3.0/24 to !192.168.1.2 keep state group 300
block in log first quick proto icmp from any to any group 300
block in quick from any to any group 300
block in log first quick from any to 192.168.3.0/24 group 100
pass in log first quick from 192.168.1.0/30 to !192.168.3.0/24 keep state group 100
block in quick from any to any group 100

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

lg
redy
« Reply #3 on: January 02, 2011, 23:25:45 »
Manuel Kasper
Administrator
*****
Posts: 364

Ach so, ich glaube ich weiss, woran es liegt. Du hast als Destination bei deiner DMZ-Block-Regel "LAN subnet" angegeben. Da du aber offenbar an der LAN-Schnittstelle bzw. im m0n0wall-LAN-Subnetz direkt gar keine Clients hast, sondern in einem statisch gerouteten Subnet, nützt die Block-Regel so nichts.

Abhilfe: Destination in Block-Regel auf das eigentliche (W)LAN-Client-Subnetz ändern bzw. zweite Block-Regel für das geroutete Subnetz hinzufügen. Dafür kannst du dann in der darauffolgenden Permit-Regel die Destination auf any stellen.
« Reply #4 on: January 03, 2011, 11:33:12 »
redy *
Posts: 7

ich habe gestern in laufe des tages noch alle moeglichkeiten durch. funktioniert hat aber leider keine.

da laeuft irgendwas falsch, blicke da aber nicht durch  Huh
mein aktuelles Ruleset sieht jetzt so aus:

DMZ Ruleset:
Block Proto: * ; Source: * ; Port: * ; Dest: * ; Prot: *    >> Block any any

Komme damit nicht ins Internet (Traffic von der DMZ Richtung WAN wird geblockt), aber zwischen LAN und DMZ hat die "deny any any" Regel keinerlei Auswirkung.

Eine "deny any any" Regel sollte ja alles zu machen, egal ob da geroutete Netze sind oder nicht, da darf nix durch.

Verstehe das nicht... Huh

lg
redy
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines