Hello,
It will be great if somebody could take a look at my /etc/pf.conf (first try):
(the appropriate port numbers, i. e. for znc, has been typed into /etc/services)
I've got only one external IP adress (AA.AAA.AAA.AAA), so I've decided to create a new local interface and forward the appropriate ports with pf as a NAT. ifconfig looks like this:
Yes, it's Kimsufi
But everyone has to start somewhere!
Here's what I've tried to achieve:
- Apache + PHP (1), MySQL-server (2), ZNC (3), postfix + dovecot + Roundcube (4), PowerDNS (5) on separate jails,
- jails no. 1, 3, 4 and 5 must be must be capable of contact with the rest of the world,
- jails no. 1 and 2 must be able to local communication between them; the same applies to 1 and 4; 2 and 5,
- SSH accessible to the host system on custom port,
- any other traffic blocked (excluding system services, like updating ports, ntp, etc.).
So, what do you think? Is it "acceptable" enough?
Greetings!
It will be great if somebody could take a look at my /etc/pf.conf (first try):
Code:
# MACROS
ext_if="em0"
int_if="lo1"
SSH_CUSTOM = xxxx
scrub in on $ext_if all fragment reassemble
set skip on lo0
antispoof for $ext_if
# TCP/UDP/ICMP IN
pass in quick on $ext_if inet proto tcp from any to $ext_if port $SSH_CUSTOM
pass in quick on $ext_if inet proto tcp from any to $ext_if port http
pass in quick on $ext_if inet proto tcp from any to $ext_if port https
pass in quick on $ext_if inet proto tcp from any to $ext_if port znc
pass in quick on $ext_if inet proto tcp from any to $ext_if port smtp
pass in quick on $ext_if inet proto udp from any to $ext_if port smtp
pass in quick on $ext_if inet proto tcp from any to $ext_if port pop3
pass in quick on $ext_if inet proto tcp from any to $ext_if port pop3s
pass in quick on $ext_if inet proto tcp from any to $ext_if port imap
pass in quick on $ext_if inet proto tcp from any to $ext_if port imaps
pass in quick on $ext_if inet proto tcp from any to $ext_if port pdns
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types
#TCP/UDP/ICMP OUT
pass out quick on $ext_if inet proto tcp from $ext_if to any port $SSH_CUSTOM
pass out quick on $ext_if inet proto tcp from $ext_if to any port whois
pass out quick on $ext_if inet proto tcp from $ext_if to any port http
pass out quick on $ext_if inet proto tcp from $ext_if to any port https
pass out quick on $ext_if inet proto tcp from $ext_if to any port znc
pass out quick on $ext_if inet proto tcp from any to $ext_if port smtp
pass out quick on $ext_if inet proto udp from any to $ext_if port smtp
pass out quick on $ext_if inet proto tcp from any to $ext_if port pop3
pass out quick on $ext_if inet proto tcp from any to $ext_if port pop3s
pass out quick on $ext_if inet proto tcp from any to $ext_if port imap
pass out quick on $ext_if inet proto tcp from any to $ext_if port imaps
pass out quick on $ext_if inet proto tcp from any to $ext_if port pdns
pass out quick on $ext_if inet proto udp from $ext_if to any port ntp
pass out quick on $ext_if inet proto icmp from $ext_if to any
# JAIL PORTS REDIRECT
nat on em0 from lo1:network to any -> ($ext_if)
rdr on em0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on em0 proto tcp from any to ext._ip port https -> 10.0.0.1 port https
rdr on em0 proto tcp from any to ext._ip port znc -> 10.0.0.3 port znc
rdr on em0 proto tcp from any to ext._ip port pop3 -> 10.0.0.4 port pop3
rdr on em0 proto tcp from any to ext._ip port pop3s -> 10.0.0.4 port pop3s
rdr on em0 proto tcp from any to ext._ip port imap -> 10.0.0.4 port imap
rdr on em0 proto tcp from any to ext._ip port imaps -> 10.0.0.4 port imaps
rdr on em0 proto tcp from any to ext._ip port pdns -> 10.0.0.5 port pdns
# POLICY
block log all(the appropriate port numbers, i. e. for znc, has been typed into /etc/services)
I've got only one external IP adress (AA.AAA.AAA.AAA), so I've decided to create a new local interface and forward the appropriate ports with pf as a NAT. ifconfig looks like this:
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:22:4d:ae:1d:8c
inet AA.AAA.AAA.AAA netmask 0xffffff00 broadcast AA.AAA.AAA.255
inet6 fe80::222:4dff:feae:1d8c%em0 prefixlen 64 scopeid 0x1
inet6 YYYY:YYYY:Y:YYYY::Y prefixlen 128
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 10.0.0.254 netmask 0xffffff00
inet 10.0.0.1 netmask 0xffffff00
inet 10.0.0.2 netmask 0xffffff00
inet 10.0.0.3 netmask 0xffffff00
inet 10.0.0.4 netmask 0xffffff00
inet 10.0.0.5 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>Yes, it's Kimsufi
But everyone has to start somewhere!Here's what I've tried to achieve:
- Apache + PHP (1), MySQL-server (2), ZNC (3), postfix + dovecot + Roundcube (4), PowerDNS (5) on separate jails,
- jails no. 1, 3, 4 and 5 must be must be capable of contact with the rest of the world,
- jails no. 1 and 2 must be able to local communication between them; the same applies to 1 and 4; 2 and 5,
- SSH accessible to the host system on custom port,
- any other traffic blocked (excluding system services, like updating ports, ntp, etc.).
So, what do you think? Is it "acceptable" enough?
Greetings!
