大家好,小弟是Linux/OBSD的新手
最近上課在做的project
因為router是OBSD所以有些檔案名稱path會不一樣
要問的問題是OBSD裡面的/etc/pf.conf的一些rules
老師的要求是:
1. Windows subnet to storage subnet: NO access
2. Windows subnet to web server subnet: RESTRICTED access
Only SSL HTTP ports allowed
3. Web server subnet to storage subnet: RESTRICTED access
Only iSCSI ports allowed
小弟自己用小畫家畫了一個圖形
http://tinypic.com/view.php?pic=fwqhxz&s=8#.Uyp0NPldUwA
OBSD router有1 external interface (em0) 2 internal interfaces (em1 & em2)
Windows subnet >> em1
www server >> em2
storage server >> 從主要的router連接到OBSD router
小弟自己弄出來的pf rules是
ext_if = "em0"
int_if = "em1"
int_if2 = "em2"
www_server = "192.168.32.130"
web_ports = "{ https, iscsi }"
tcp_services = "{ ssh, domain }"
udp_services = "{ router, domain }"
set skip on lo
block in
pass in on $int_if from $int_if:network
pass in on $int_if2 from $int_if2:network
pass in inet proto icmp
block from $int_if:network to $int_if2:network
pass in on $ext_if inet proto tcp to $ext_if port $tcp_services
pass in on $ext_if inet proto udp to $ext_if port $udp_services
pass in on $ext_if inet proto tcp to $www_server port $web_ports
pass in on $int_if inet proto tcp from $int_if:network to $www_server port
https
block from $int_if:network to 10.12.0.0/16
pass out
今天老師檢查後說這個configuration很奇怪
因為
pass in on $int_if from $int_if:network
pass in on $int_if2 from $int_if2:network
這兩個其實很多餘
還有pass in on $int_if inet proto tcp from $int_if:network to $www_server
port https
這個也是很怪異
但是老師測試了一下後說 因為有達到要求所以過了(測試方式用ping還有看我們的網頁是
否只能顯示https)
重點: 如果是各位大大 會怎麼寫呢?
不好意思寫很多 感謝您的指點