5. Ejemplo del uso de PF en una DMZ
Anterior Capítulo 4. Direcciones, enrutamiento, transporte y cortafuegos Siguiente

5. Ejemplo del uso de PF en una DMZ

De las secciones anteriores resultaría un archivo /etc/pf.conf (adaptado de la Guía de PF) como el siguiente: 

	# Recordar poner net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
	# en /etc/sysctl.conf 
	
	ext_if="dc1"  # Cambiar por interfaz externa
	int_if="dc0"  # Cambiar por interfaz interna
	
	int_ip="192.168.1.1"  # Cambiar por dirección en LAN
	ext_ip="200.93.171.42"  # Cambiar por IP pública
	
	# LAN. Segmento de red
	lan="192.168.1/24"  
	
	# Servicios que presta cortafuegos
	servicios_tcp="{ssh,domain}" 
	servicios_udp="{domain}" 
	servicios_icmp="echoreq"
	
	# Servidor interno
	serv_ip="192.168.2.2"
	servicios_serv="{ldap,smtp,www,https,imaps}"
	
	
	set block-policy return
	set loginterface $ext_if
	
	set skip on {lo enc0}
	scrub in all
	
	match out on $ext_if from !($ext_if) nat-to ($ext_if:0)
	
	block in log all 
	pass out keep state
	pass quick on { lo }
	antispoof quick for { lo $int_if }
	
	pass in on $int_if proto tcp from $lan to any port ftp
	pass out proto tcp from $ext_ip to any port 21
	
	match in on $int_if proto tcp from $lan to any port ftp rdr-to \
		127.0.0.1 port 8021
	
	pass in quick on $int_if
	
	match in on $ext_if proto tcp from any to any port 80 rdr-to \
		$serv_ip port 80
	match in on $ext_if proto tcp from any to any port 443 rdr-to \
		$serv_ip port 443
	match in on $ext_if proto tcp from any to any port 993 rdr-to \
		$serv_ip port 993
	match in on $ext_if proto tcp from any to any port smtp rdr-to \
		$serv_ip port smtp
	match in on $ext_if proto tcp from any to any port 389 rdr-to \
		$serv_ip port 389 
	
	match in on $ext_if proto tcp from any to any port 10022 rdr-to \
		$serv_ip port 22
	pass on $ext_if proto tcp from any to any port 10022 
	
	match in on $ext_if proto tcp from any to any port 10465 rdr-to \
		$serv_ip port 465
	pass on $ext_if proto tcp from any to any port 10465 
	
	
	pass in on $ext_if inet proto tcp from any to ($ext_if) \
		port $servicios_tcp keep state
	pass in on $ext_if inet proto udp from any to ($ext_if) \
		port $servicios_udp keep state
	pass in inet proto icmp all icmp-type $servicios_icmp keep state
	
	pass in on $ext_if proto tcp from any to $serv_ip port $servicios_serv \
		flags S/SA synproxy state

5.1. Referencias y lecturas recomendadas

Guía del usuario de PF [PF].

Anterior Subir Siguiente
4. ftp-proxy: para usar ftp desde la red interna Inicio 6. Control de ancho de banda