OpenBSD PF ile 3 farkli adsl hattinin birlestirilmesi

3 farkli ADSL hattinin OpenBSD PF ile ortak hat olark kullanildigi bir guvenlik duvari kurallari…
Hatlarin gidip gelme durumlarina karsilik ifstated kullanilarak hattin durumuna gore devre disi birakilabilir ya da devreye alinabiliyor.

Kaynak IP’ye gore takip yapan bazi alisveris sitelerinde problem yasanabilir. sticky-address kullanmama ragmen degismesi problemini henuz cozebilmis degilim. Kurallar security’den ziyade agin islevselligi icin yazilmistir o yuzden block vs kullanmadim.

Kullanilan sistem OpenBSD 4.1



#
# 07-03-31 04:03
#
#

ext_if0 = "fxp0" # ADSL-I
ext_if1 = "fxp1" # ADSL-II
ext_if2 = "fxp1" # ADSL-III
int_if = "bge0"
ic_ag1 = "192.168.1.0/24"
ic_ag2 = "192.168.10.0/24"
ext_gw0 = "5.5.5.1"
ext_gw1 = "6.6.6.1"
ext_gw2 = "7.7.7.1"
gws="{192.168.1.1 192.168.10.254}"
gw1="192.168.1.1"
gw2="192.168.10.254"

#########Transparan Proxy####################################

#rdr on $int_if proto tcp from {$ic_ag1 $ic_ag2} to any port 80 -> 127.0.0.1 port 3128

######### Sorunsuz FTP Kullanimi icin #######################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass log (all) on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

#############5.5.5. li modeme erisim...######################
nat pass on $ext_if0 from {$ic_ag1 $ic_ag2} to 5.5.5.1 -> 5.5.5.2

######## 6.6.6. li modeme erisim###########################
nat on $ext_if1 from {$ic_ag1 $ic_ag2} to 6.6.6.1 -> 6.6.6.2

####### 7.7.7.1 li modeme erisim##############################
nat pass on $ext_if1 from {$ic_ag1 $ic_ag2} to 7.7.7.1 -> 7.7.7.2

#############haber sitesi icin route-to problemi icin###############
nat pass on $ext_if0 from {$ic_ag1 $ic_ag2} to 1.11.6.14 -> 5.5.5.2

###################Standart NAT islemi outgoing loadbalance#######

nat on $ext_if0 from {$ic_ag1 $ic_ag2} to any -> 5.5.5.2
nat on $ext_if1 from {$ic_ag1 $ic_ag2} to any -> 6.6.6.2
nat on $ext_if1 from {$ic_ag1 $ic_ag2} to any -> 7.7.7.2

###Iki agin birbiri ile saglikli haberlesmesi icin#####################
pass in quick log (all) on $int_if from $ic_ag1 to $ic_ag2
pass in quick log (all) on $int_if from $ic_ag2 to $ic_ag1

######Disardan gelen SSH baglantilarini kabul ###################
pass in quick log (all) on $ext_if0 reply-to($ext_if0 $ext_gw0) proto tcp from any to $ext_if0:0 port 22

##7.7.7. li hat icin SSH kabulu icin
pass in quick log (all) on $ext_if1 reply-to($ext_if2 $ext_gw2) proto tcp from any to 7.7.7.2\ port 22

####Aktif FTP calismasi icin #############
##

############## Iceriden yapilan SSH/HTTP baglantilari ###################

pass in quick on $int_if proto tcp from $ic_ag1 to $gw1 port {80 22} keep state
pass in quick on $int_if proto tcp from $ic_ag2 to $gw2 port {80 22} keep state

############ Iceriden yapilan DNS istekleri ########################
pass in quick on $int_if proto {tcp udp} from {$ic_ag1 $ic_ag2} to any port 53 keep state
#pass in quick on $int_if proto {tcp udp} from $ic_ag2 to $gw2 port 53 keep state

###### Hat Birlestirme #######################################

pass in quick log(all) on $int_if route-to{($ext_if0 $ext_gw0)}\
proto {udp tcp} from any to 1.11.3.14

#Modemlere erisim
pass in quick on $int_if route-to ($ext_if0 $ext_gw0) from {$ic_ag1 $ic_ag2} to 5.5.5.1
pass in quick on $int_if route-to ($ext_if1 $ext_gw1) from {$ic_ag1 $ic_ag2} to 6.6.6.1
pass in quick on $int_if route-to ($ext_if2 $ext_gw2) from {$ic_ag1 $ic_ag2} to 7.7.7.1

##SSL Banka Baglantilari icin test- source ip degiskenligi icin
#pass in quick log (all) on $int_if route-to($ext_if0 $ext_gw0) proto tcp from {$ic_ag1 $ic_ag2} to any port 443

pass in quick log(all) on $int_if route-to{($ext_if0 $ext_gw0), ($ext_if1 $ext_gw1), ($ext_if2 $ext
_gw2)} round-robin sticky-address proto {udp tcp} from {$ic_ag1 $ic_ag2} to any

pass out log (all) on $ext_if0 route-to ($ext_if1 $ext_gw1) proto {icmp tcp udp} from 6.6.6.2 to any

pass out log (all) on $ext_if0 route-to ($ext_if2 $ext_gw2) proto {icmp tcp udp} from 7.7.7.2 to any

pass out log (all) on $ext_if1 route-to ($ext_if0 $ext_gw0) proto {icmp tcp udp} from $ext_if0 to an
y
pass out log (all) on $ext_if1 route-to ($ext_if2 $ext_gw2) proto {icmp tcp udp} from 7.7.7.2 to any

pass out log (all) on $ext_if2 route-to ($ext_if0 $ext_gw0) proto {icmp tcp udp} from $ext_if0 to a
ny
pass out log (all) on $ext_if2 route-to ($ext_if1 $ext_gw1) proto {icmp tcp udp} from 6.6.6.2 to any
--stripped

This entry was posted in OpenBSD. Bookmark the permalink.

4 Responses to OpenBSD PF ile 3 farkli adsl hattinin birlestirilmesi

  1. Ali says:

    Meraba,
    Ben yukaridaki bazi seyleri anlamadim ve sormak istiyorum, lakin yeri burasimidir degilmidir tam olarak bilmedigim icin, burayi foruma donusturmek istemedim, acaba biz yazdiklariniz hakkinda teknik bir yorum yapmak veya bir hususu danismak istersek nereyi kullanmaliyiz?

  2. Huzeyfe ONAL says:

    merhabalar,

    bu yazi ile ilgili ise burasi yeridir ama genel firewall/pf sorusu ise Enderunix bsd listesine sorabilirsiniz. Konudan anlayan daha fazla uzmana ulasma sansiniz olur.

  3. Salih BiLGiN says:

    Çok güzel bir yazı olmuş. İmkanım olmadığı için fakat aklıma takıldığı için soruyorum,bu yapıyı 10 tane hatta kadar çıkarabilir miyiz?

    Upload ve download limitlerini baglanti başına belirleyebilir miyiz ?

  4. Huzeyfe ONAL says:

    Cikarilabilir tabi ama 10 hattin yonetilmesi 3 hatta gore cok daha sorunlu olur.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × four =