pfsense 상자를 설정했습니다. 무슨 일이 일어났냐면 192.168.3.1상자에서 관리 인터페이스를 클릭 할 수 없도록 규칙을 설정했다는 것입니다 .
규칙을 활성화한 후
--- www.l.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5080ms
rtt min/avg/max/mdev = 37.684/37.776/37.869/0.215 ms
root@bad-apple:/etc#
규칙이 비활성화되었습니다.
--- www.l.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.064/44.104/46.144/2.040 ms
이를 초래하는 규칙을 금지하세요.
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* APPLESERVER net * 192.168.3.1 * * none
서버가 관리 인터페이스에 액세스하는 것을 원하지 않지만 컴퓨터를 구성하기 위해 인터넷에 액세스하고 싶습니다. 이전에 이 문제를 겪은 사람이 있나요? 대상을 WAN 네트워크로 설정하면 DNS가 사라지기 때문에 이 금지 규칙에 따라 APPLESERVER NET에서 *까지 모든 것을 허용합니다.
음, ping을 하면 규칙이 활성화된 상태에서 약 5-10초마다 ssh에 한 줄이 나타납니다. 규칙이 없으며 일반 기계처럼 매우 빠르게 실행됩니다. 이 문제는 내 LAN에 존재하지 않습니다. 해당 DNS 서버는 동일하고 [pfsense]admin을 차단합니다. [하나의 LAN이 관리 LAN이므로 차단 규칙이 없습니다.] LAN2에서 모든 것을 실행하고 관리를 위해 LAN1을 수동으로 연결합니다.
업데이트 - /tmp/debug.config 추가됨
#System aliases
loopback = "{ lo0 }"
WAN = "{ re0 }"
ADMIN = "{ re1 }"
LAN = "{ re2 }"
APPLESERVER = "{ re3 }"
#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
# User Aliases
table <EasyRuleBlockHostsWAN> { 10.35.0.1/32 }
EasyRuleBlockHostsWAN = "<EasyRuleBlockHostsWAN>"
# Gateways
GWOPT1GW = " route-to ( re2 192.168.1.1 ) "
GWWAN = " route-to ( re0 wan ip ) "
set loginterface re1
set optimization normal
set limit states 23000
set limit src-nodes 23000
set skip on pfsync0
scrub in on $WAN all fragment reassemble
scrub in on $ADMIN all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $APPLESERVER all fragment reassemble
no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# Outbound NAT rules
# Subnets to NAT
tonatsubnets = "{ 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 24.220.153.106/32 port 500
nat on $WAN from $tonatsubnets to any -> 24.220.153.106/32 port 1024:65535
# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
rdr pass on re2 proto udp from any to any port tftp -> 127.0.0.1 port 6969
table <negate_networks> { 24.220.152.0/23 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 }
# NAT Inbound Redirects
rdr on re0 proto { tcp udp } from any to any port 21 -> 192.168.2.3
rdr on re0 proto { tcp udp } from any to any port 5000:5050 -> 192.168.2.3
rdr on re0 proto { tcp udp } from any to any port 80 -> 192.168.3.2
rdr on re0 proto { tcp udp } from any to any port 443 -> 192.168.3.2
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
antispoof for re0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for re1
# allow access to DHCP server on ADMIN
pass in quick on $ADMIN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $ADMIN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $ADMIN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for re2
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for re3
# allow access to DHCP server on APPLESERVER
pass in quick on $APPLESERVER proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $APPLESERVER proto udp from any port = 68 to 192.168.3.1 port = 67 label "allow access to DHCP server"
pass out quick on $APPLESERVER proto udp from 192.168.3.1 port = 67 to any port = 68 label "allow access to DHCP server"
# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( re0 wan ip ) from 24.220.153.106 to !24.220.152.0/23 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on re1 proto tcp from any to (re1) port { 80 443 22 } keep state label "anti-lockout rule"
# User-defined rules follow
anchor "userrules/*"
block in quick on $WAN reply-to ( re0 wan ip ) from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
pass in quick on $WAN reply-to ( re0 wan ip ) proto { tcp udp } from any to 192.168.2.3 port 21 label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 wan ip ) proto { tcp udp } from any to 192.168.2.3 port 4999 >< 5051 label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( re0 wan ip ) proto { tcp udp } from any to 192.168.3.2 port 80 label "USER_RULE: NAT Rule for web 80"
pass in quick on $WAN reply-to ( re0 wan ip ) proto { tcp udp } from any to 192.168.3.2 port 443 label "USER_RULE: NAT ssl web "
block in quick on $WAN reply-to ( re0 wan ip ) from any to any label "USER_RULE"
block in quick on $ADMIN from any to any label "USER_RULE"
block in quick on $LAN from any to 192.168.2.1 label "USER_RULE"
block in quick on $LAN from any to 192.168.1.1 label "USER_RULE"
block in quick on $LAN from any to 192.168.3.1 label "USER_RULE"
pass in quick on $LAN from 192.168.2.1/24 to any keep state label "USER_RULE: Default allow OPT1 to any rule"
pass in quick on $LAN proto tcp from any to 192.168.3.1/24 port 22 flags S/SA keep state label "USER_RULE"
pass in quick on $LAN proto tcp from any to 192.168.3.1/24 port 80 flags S/SA keep state label "USER_RULE"
pass in quick on $LAN proto tcp from any to 192.168.3.1/24 port 81 flags S/SA keep state label "USER_RULE"
pass in quick on $LAN proto { tcp udp } from any to 192.168.3.2 port 10000 keep state label "USER_RULE"
pass in quick on $LAN proto tcp from 192.168.2.1/24 to 192.168.3.1/24 port 443 flags S/SA keep state label "USER_RULE"
block in quick on $LAN from any to any label "USER_RULE"
block in quick on $APPLESERVER from any to 192.168.2.1 label "USER_RULE"
block in quick on $APPLESERVER proto { tcp udp } from any to 192.168.3.1 port 80 label "USER_RULE"
block in quick on $APPLESERVER proto { tcp udp } from any to 192.168.3.1 port 443 label "USER_RULE"
block in quick on $APPLESERVER proto { tcp udp } from any to 192.168.3.1 port 22 label "USER_RULE"
block in quick on $APPLESERVER from any to 192.168.1.0/24 label "USER_RULE"
pass in quick on $APPLESERVER from 192.168.3.1/24 to any keep state label "USER_RULE"
# VPN Rules
anchor "tftp-proxy/*"
debug.config 파일로 업데이트했습니다. 그래서 제가 해결한 방법은 192.168.3.0/24 서브넷[appleserver 서브넷]에서 22,80,443만 차단하는 것이었습니다. 이로 인해 속도 문제가 해결되었지만 올바르게 수정하는 것이 좋은 방법인지 잘 모르겠습니다.
아마도 이것은 DNS 문제일 수 있지만 원격 시스템에서 wan ip를 입력하는 데는 모든 차단 규칙이 도메인 이름 라우팅으로 활성화된 경우와 거의 [오랜] 시간이 걸립니다.