Differences

This shows you the differences between two versions of the page.

--- lair:cist.lan:start:routerconfig [2014/04/29 17:28] – [Router Configuration] ahughe12
+++ lair:cist.lan:start:routerconfig [2014/04/30 15:28] (current) – [Down to Brass Tacks] eolson1
@@ Line 12: / Line 12: @@
      file "master/cist.lan";
      //don't allow transfers, cist.lan will not be allowed to get out.
-     }
+     };
 </code>
@@ Line 620: / Line 620: @@
 The cist.lan router will be connecting directly to projects.lan, so in order to make this happen, we had to add an extra NIC card to projects.lan. All of our machines are the basic setup, just with enough NIC cards to properly connect to the machines necessary.
-====Down to Brass Tax====
+====Down to Brass Tacks====
 ----
@@ Line 664: / Line 664: @@
 * Note: An "issue" appears when someone pings the router from, for example, the pods where you can successfully ping the 10.80.11/24 subnet, but, when you try to ping an address besides the projects.lan addresses, it does not successfully send packets to the destination. This is due to the 10.50.100.3 and 10.50.100.4 connection between projects.lan (10.50.100.3) and cist.lan (10.50.100.4); only projects.lan knows about the address, so when someone tries to ping from cist.lan to caprisun, juicebox, or offbyone, the packets do not reach those machines. It is possible to ping 10.80.11/24 and ping from that subnet, however.
+===pf.conf configuration===
+----
+<code>
+#       $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
+#
+# See pf.conf(5) for syntax and examples.
+# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
+# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
+# increase default state limit from 10'000 states on busy systems
+#set limit states 100000
+ext_if="bge0"
+int_if="fxp0"
+lnet="$int_if:network"
+set skip on { lo }
+# filter rules and anchor for ftp-proxy(8)
+#anchor "ftp-proxy/*"
+#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
+# anchor for relayd(8)
+#anchor "relayd/*"
+block in on $ext_if             # block stateless traffic
+pass in on $int_if              # establish keep-state
+pass out on { $int_if } from any to any keep state
+pass quick inet proto icmp from any to any keep state
+antispoof quick for { $int_if, $ext_if } inet
+pass in quick on { $int_if, $ext_if } proto tcp flags S/SA keep state
+# rules for spamd(8)
+#table <spamd-white> persist
+#table <nospamd> persist file "/etc/mail/nospamd"
+#pass in on egress proto tcp from any to any port smtp \
+#    rdr-to 127.0.0.1 port spamd
+#pass in on egress proto tcp from <nospamd> to any port smtp
+#pass in log on egress proto tcp from <spamd-white> to any port smtp
+#pass out log on egress proto tcp to any port smtp
+#block in quick from urpf-failed to any # use with care
+# By default, do not permit remote connections to X11
+block in on ! lo0 proto tcp to port 6000:6010
+</code>

Lab46 Wiki

User Tools

Site Tools

Differences

Page Tools