Ok, evo slike
[10.0.10.15]---(10.0.10.0/24)-[vr0: 10.0.10.1]-+-------------+
| OpenBSD 4.4 |
10.0.11.0/24 -[vr2: 10.0.11.1]-+ +-[vr1: 77.x.y.z]-- ADSL-- (internet)
| |
[10.0.88.220]--(10.0.88.0/24)-[vr3: 10.0.88.1]-+------+------+
|
10.0.7.1/32-[tun0]--+
Ovo je pf.conf koji sam koristio za test:
Code:
#global
#interfaces
intif="vr0"
extif="vr1"
dmzif="vr2"
phoneif="vr3"
lo0if="lo0"
intip="10.0.10.1/32"
extip="77.x.y.z/32"
dmzip="10.0.11.1/32"
phoneip="10.0.88.1/32"
lo0ip="127.0.0.1/32"
filesrvip="10.0.10.15/32"
tunif="tun0"
table <extip> { $extip }
icmp_types="{ echorep, echoreq, unreach, squench, timex, paramprob }"
# external interface
table <dns_isp> { 62.2.17.60/32, 62.2.24.152/32 }
#table <mail_isp> { }
table <ntpserver> { 192.53.103.0/24, 131.188.3.0/24 }
table <extfax> { 204.11.168.0/21 }
# internal interface
table <localnet> { 10.0.10.0/24 }
table <phonenet> { 10.0.88.0/24 }
table <mobilenet> { 10.0.7.0/24 }
# dmz interface
table <dmznet> { 10.0.11.0/24}
# scrub
scrub all
# nat
nat on $extif from <localnet> -> $extip
#nat on $extif from <phonenet> -> $extip
nat on $extif from <dmznet> -> $extip
# for bufferoverflow
block in inet6
block out inet6
# default policy
pass in quick log on $extif
pass out quick log on $extif
pass in quick log on $intif
pass out quick log on $intif
pass in quick log on $dmzif
pass out quick log on $dmzif
pass in quick log on $phoneif
pass out quick log on $phoneif
pass in quick on $tunif
pass out quick on $tunif
pass in quick on $lo0if
pass out quick on $lo0if
Konacno, ruting tabela (netstat -rn):
Code:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 77.x.y.z UGS 2 1611740 - 48 vr1
10.0.7/24 10.0.7.2 UGS 0 46209 - 48 tun0
10.0.7.2 10.0.7.1 UH 1 0 - 48 tun0
10.0.10/24 link#1 UC 10 0 - 48 vr0
10.0.10.1 00:00:24:cb:1d:4c UHLc 0 188 - 48 lo0
10.0.10.12 00:23:54:2f:8b:b7 UHLc 0 362483 - 48 vr0
10.0.10.15 00:22:19:cb:e2:60 UHLc 0 161399 - 48 vr0
10.0.10.21 00:80:87:5b:06:fd UHLc 0 1 - 48 vr0
10.0.10.52 00:23:54:40:3f:8c UHLc 0 6926 - 48 vr0
10.0.10.101 00:21:9b:32:98:7b UHLc 1 37152 - 48 vr0
10.0.10.111 00:21:9b:45:74:ec UHLc 0 59694 - 48 vr0
10.0.10.112 00:21:9b:32:98:3c UHLc 0 174699 - 48 vr0
10.0.10.113 00:24:81:f7:48:45 UHLc 0 625291 - 48 vr0
10.0.10.131 00:01:02:e3:ba:78 UHLc 3 18211 - 48 vr0
10.0.11/24 link#3 UC 2 0 - 48 vr2
10.0.11.13 00:22:19:51:40:e7 UHLc 1 483021 - 48 vr2
10.0.11.14 00:1e:c9:bb:57:74 UHLc 0 95170 - 48 vr2
10.0.88/24 link#4 UC 1 0 - 48 vr3
10.0.88.220 00:0e:0c:4c:34:27 UHLc 1 68 - 48 vr3
77.x.y.u/29 link#2 UC 1 0 - 48 vr1
77.x.y.z 00:14:7f:e7:cb:28 UHLc 1 0 - 48 vr1
127/8 127.0.0.1 UGRS 0 0 33204 48 lo0
127.0.0.1 127.0.0.1 UH 1 2 33204 48 lo0
224/4 127.0.0.1 URS 0 0 33204 48 lo0
E, sad… Ono sto vidim je da kad uradim ping sa 10.0.10.15, na vr3 se pojavi ping reply od 10.0.88.220, ali taj reply nikad ne stigne do 10.0.10.15, jer se ne pojavljuje na vr0 interfejsu.
Kad pingujem sa 10.0.10.15 na 10.0.88.1, dobijam odgovor. Kad pingujem sa 10.0.88.220 racunar 10.0.10.15, ne dobijam nista. Kad pingujem 10.0.10.1 sa 10.0.88.220, takodje nema nikakvog odgovora.