5. Ejemplo del uso de PF en una DMZ

5. Ejemplo del uso de PF en una DMZ
Anterior	Capítulo 4. Direcciones, enrutamiento, transporte y cortafuegos	Siguiente

De las secciones anteriores resultaría un archivo /etc/pf.conf (adaptado de la Guía de PF) como el siguiente:

# Recordar poner net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# en /etc/sysctl.conf 

ext_if="dc1"  # Cambiar por interfaz externa
int_if="dc0"  # Cambiar por interfaz interna

int_ip="192.168.1.1"  # Cambiar por dirección en LAN
ext_ip="200.93.171.42"  # Cambiar por IP pública

# LAN. Segmento de red
lan="192.168.1/24"  

# Servicios que presta cortafuegos
servicios_tcp="{ssh,domain}" 
servicios_udp="{domain}" 
servicios_icmp="echoreq"

# Servidor interno
serv_ip="192.168.2.2"
servicios_serv="{ldap,smtp,www,https,imaps}"


set block-policy return
set loginterface $ext_if

set skip on {lo enc0}
scrub in all

match out on $ext_if from !($ext_if) nat-to ($ext_if:0)

block in log all 
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }

pass in on $int_if proto tcp from $lan to any port ftp
pass out proto tcp from $ext_ip to any port 21

match in on $int_if proto tcp from $lan to any port ftp rdr-to \
	127.0.0.1 port 8021

pass in quick on $int_if

match in on $ext_if proto tcp from any to any port 80 rdr-to \
	$serv_ip port 80
match in on $ext_if proto tcp from any to any port 443 rdr-to \
	$serv_ip port 443
match in on $ext_if proto tcp from any to any port 993 rdr-to \
	$serv_ip port 993
match in on $ext_if proto tcp from any to any port smtp rdr-to \
	$serv_ip port smtp
match in on $ext_if proto tcp from any to any port 389 rdr-to \
	$serv_ip port 389 

match in on $ext_if proto tcp from any to any port 10022 rdr-to \
	$serv_ip port 22
pass on $ext_if proto tcp from any to any port 10022 

match in on $ext_if proto tcp from any to any port 10465 rdr-to \
	$serv_ip port 465
pass on $ext_if proto tcp from any to any port 10465 


pass in on $ext_if inet proto tcp from any to ($ext_if) \
	port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) \
	port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state

pass in on $ext_if proto tcp from any to $serv_ip port $servicios_serv \
	flags S/SA synproxy state

5.1. Referencias y lecturas recomendadas

Guía del usuario de PF [PF].

Anterior	Subir	Siguiente
4. ftp-proxy: para usar ftp desde la red interna	Inicio	6. Control de ancho de banda