PF - design/configure firewall for network using ADSL connection -- please help me
PF - design/configure firewall for network using ADSL connection
I have some problem when build my firewall on openbsd 3.7
Here is my network diagram:
{Internet}------{ADSL modem}----{openbsd-gateway}-----{localnetwork}---{win2k3}
Detail:
---Internet---
ip: Dynamic IP
type: ADSL connection
---modem ADSL---
ip: 192.168.3.254/24
---openbsd-gateway---
+ interface
- xl0: connect to modem ADSL, ip: 192.168.3.10/24
- xl1: connect to localnetwork, ip: 192.168.2.10/24
+ service:
- DHCP for localnetwork
- Web server for localnetwork
- DNS for localnetwork with domain abc.ex
- LDAP for localnetwork
- Mailserver for localnetwork and also is mail gateway from domain abc.ex outsite Internet
- Squid proxy
---win2k3---
+ interface
ip: 192.168.2.2/24
+ service
- Active Directory
- File server
Purpose:
--localnetwork--
- allow all traffic only in localnetwork
- work better with win2k3 when join domain xyz.ex
- all request from localnetwork to Internet such as: web, ftp must be checked at Squid proxy server.
--openbsd gateway--
- allow all request to web server, mail server (POP3s, IMAPs), LDAP, squid,....running on openbsd-gateway server.
- allow transparent all request from localnetwork to win2k3 server running DNS "xyz.ex"
- allow VIP1 user has IP address {192.168.2.9, 192.168.2.10} can use FTP
- allow VIP2 user can connect to all port from inside to outside without restriction.
- Redirect all request from localnetwork to Internet to port 8080 which Squid proxy is listening.
- Deny all request of service from localnetwork to Internet such as: games online, Xmule, bittorrent, POP (users used local mailserver), FTP....general speak, deny all traffic no need from users inside.
- Deny all scan port program, inject, exploit from inside.
- NAT all allow traffic from inside to outside network
- Log all action exploit from inside
--internet--
- deny all dangerous traffic from internet to inside network
- prevent all action exploit from outsite internet.
- Log all action exploit from outside
These are my firewall/gateway that i want to configure for my local network. I really confuse about PF. Please help me.
Thank you very much.
|