[РЕШЕНО] блокировка 25 порта

[cubespace]

Єто вывод при таком варианте:

Код: [Выделить]

int_if="igb1"
int_net="192.168.1.0/24"
int_ip="192.168.1.1"
table mail { 192.168.1.101, 192.168.1.3 }
pass quick on $int_if proto tcp from <mail> to $int_ip port 25
block quick on $int_if proto tcp from $int_net to $int_ip port 25

Код: [Выделить]

# pfctl -vsr
scrub in all fragment reassemble
  [ Evaluations: 781836    Packets: 410369    Bytes: 108826781   States: 0     ]
  [ Inserted: uid 0 pid 51638 ]
pass out all flags S/SA keep state
  [ Evaluations: 66739     Packets: 212053    Bytes: 139922248   States: 12603 ]
  [ Inserted: uid 0 pid 51638 ]
pass in all flags S/SA keep state
  [ Evaluations: 66739     Packets: 41430     Bytes: 27190522    States: 4497  ]
  [ Inserted: uid 0 pid 51638 ]
pass in on igb1 inet from any to ! 192.168.1.1 flags S/SA keep state (source-track rule, max-src-conn 2000) queue std
  [ Evaluations: 37079     Packets: 95892     Bytes: 63162606    States: 4605  ]
  [ Inserted: uid 0 pid 51638 ]
pass in on igb1 inet from <limited> to ! 192.168.1.1 flags S/SA keep state (source-track rule, max-src-conn 600) queue limited
  [ Evaluations: 22106     Packets: 88095     Bytes: 55410712    States: 4708  ]
  [ Inserted: uid 0 pid 51638 ]
pass in on igb1 inet from 192.168.1.3 to <modems> flags S/SA keep state queue admin
  [ Evaluations: 22768     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 51638 ]
pass quick on igb1 inet proto tcp from <mail> to 192.168.1.1 port = smtp flags S/SA keep state
  [ Evaluations: 52430     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 51638 ]
block drop quick on igb1 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = smtp
  [ Evaluations: 15773     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 51638 ]
block drop log on igb0 from <badhosts> to any
  [ Evaluations: 66746     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 51638 ]

[myst]

Говорю же, у вас срабатывают правила выше. Поставьте мои два правила сразу после нормализации и ната.
scrub.

[cubespace]

Не помогает!

Вот так делал:

Код: [Выделить]

nat on $ext_if from $internal_net to any -> ($ext_if:0)
nat on $ext_if2 from $internal_net to any -> {$ext_if2:0}
nat on $ua9_if from $internal_net to any -> {$ua9_if:0}
nat on $ua9_if from <realnet> to any -> {$ua9_if:0}

pass quick on $int_if proto tcp from <mail> to $int_ip port 25
block quick on $int_if proto tcp from $int_net to $int_ip port 25

rdr on $ext_if proto tcp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015
rdr on $ext_if proto udp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015

и вот что получилось:

Код: [Выделить]

Enabling pf/etc/pf.conf:87: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:88: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:89: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:90: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:91: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:92: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:93: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:94: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:95: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:96: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:97: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:98: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:99: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:100: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:101: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:102: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:103: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:104: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:105: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:106: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:107: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:108: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:110: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:111: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:112: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:113: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:114: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:115: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:116: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:117: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:118: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:119: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:120: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:121: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:122: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:124: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:125: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:126: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:127: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:128: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:129: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:130: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:132: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:133: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

[FessAectan]

pass in on $int_if from any to !192.168.1.1 keep state (max-src-conn 2000) queue std
pass in on $int_if from <limited> to !192.168.1.1 flags S/SA  keep state (max-src-conn 600) queue limited
pass in on $int_if from 192.168.1.3 to <modems> queue admin

Это не нужно, достаточно одной строки

Код: [Выделить]

pass all

ps
лучше, все таки, использовать
block all в начале,а затем разрешать то что нужно

[FessAectan]

Тоже самое!

И я тут извиняюсь, в предедущем неправильно в казал :
192.168.1.103
нет в списке:

Код: [Выделить]

table <mail> { 192.168.1.101, 192.168.1.3, ХХ.ХХ.ХХ.189 )

но выход на 25 порт из 192.168.1.103, открыт (

Так это же очевидно из вашего конфига.
Его нет в списке - ему разрешен доступ.
Если нужно запретить для всей локалки то пишите как-то так

Код: [Выделить]

block on $int_if proto tcp from $int_if:network to $int_ip port 25

pass quick on $int_if proto tcp from <mail> to $int_ip port 25

отсюда квик уберите

[cubespace]

Цель єтого списка была в том чтобы всем доступ закрыт, а только тем кто в списке разрешен

у меня 3 подсети:
192.168.1.0
192.168.2.0
192.168.3.0

и перечислять всех кому нельзя, из 3 под сетей, глупо будет 

[FessAectan]

Псоледний кусок правил я бы так переписал

Код: [Выделить]

pass all
block log  on $int_if inet proto tcp from $int_if:network to any port 25
pass on $int_if inet proto tcp from <mail> to port 25
block log on $ext_if from <badhosts> to any

Только из таблицы mail уберите реальный адрес, а для этого ip отдельное правило на другом интерфейсе!
Ну и соответственно в mail те кому можно из локальной сети

[myst]

отсюда квик уберите

Квик то зачем убирать.
Квик никогда не помешает если надо что-то побырому запретить/разрешить и не хочется долго курить прохождение пакетов.

[myst]

Не помогает!

Вот так делал:

Код: [Выделить]

nat on $ext_if from $internal_net to any -> ($ext_if:0)
nat on $ext_if2 from $internal_net to any -> {$ext_if2:0}
nat on $ua9_if from $internal_net to any -> {$ua9_if:0}
nat on $ua9_if from <realnet> to any -> {$ua9_if:0}

pass quick on $int_if proto tcp from <mail> to $int_ip port 25
block quick on $int_if proto tcp from $int_net to $int_ip port 25

rdr on $ext_if proto tcp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015
rdr on $ext_if proto udp from any to $ext_ip port 27015 -> 192.168.1.101 port 27015

и вот что получилось:

Код: [Выделить]

Enabling pf/etc/pf.conf:87: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:88: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:89: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:90: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:91: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:92: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:93: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:94: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:95: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:96: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:97: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:98: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:99: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:100: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:101: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:102: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:103: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:104: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:105: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:106: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:107: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:108: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:110: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:111: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:112: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:113: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:114: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:115: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:116: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:117: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:118: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:119: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:120: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:121: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:122: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:124: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:125: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:126: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:127: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:128: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:129: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:130: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:132: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:133: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

Конечно это получилсь. Я же сказал ПОСЛЕ правил ната.
редирект это тоже нат.

[FessAectan]

отсюда квик уберите

Квик то зачем убирать.
Квик никогда не помешает если надо что-то побырому запретить/разрешить и не хочется долго курить прохождение пакетов.

согласен, невнимательно на правила смотрел.

[FessAectan]

Проблема решена, автор или модераторы, исправьте тему.

Спасибо! Решено!

автор у нас отписался...