Small Office Usage

Previous page
Table of content
Next page

Our small office has a network outside the OpenBSD system and a T1 for Internet access. Unlike our home network, all the IP addresses for non-desktop systems are static. Not only do we want to redirect traffic for some internal servers, we want to restrict bandwidth usage for all of the services we allow. People will be able to use programs such as streaming audio, so long as bandwidth is not required for sanctioned corporate activities.

click to expand

Much like the first example, our 6 internal network is on the private IP addresses 192.168.0.0/24, routing through the 5 default gateway of 192.168.1.1. Unlike the first example, though, we have a 1 separate router outside our firewall and a 2 network between the two. At this time, all of our services will be attached to a 3 single IP address attached to the 4 OpenBSD system. We also have two servers inside our network, a 8 mail server and a 7 web server. Bandwidth will be regulated via class-based queuing.

 #set our macros ext_if="fxp1" int_if="fxp0" ext_ip="209.69.178.18" int_ip="192.168.1.1" ext_net="209.69.178.16/28" int_net="192.168.1.0/24" #use macros for our web servers and mail server webserver="192.168.1.2" mailserver="192.168.1.3" #first, normalize packets we transmit and receive scrub in all #now, set up our traffic queues # # the parent queue: altq on $ext_if cbq bandwidth 100Mb queue {local, t1} #the child queue for communication to our local network outside the #firewall.  This queue can borrow traffic from the T1, if the T1 isn't #full. queue local bandwidth 98456Kb cbq(borrow) #the child queue for T1 traffic. This queue cannot borrow traffic #from the parent; once the T1 is full, it's full! queue t1 bandwidth 1544Kb {ssh, http-in, http-out, mail, dns, ftp, misc} #now the child queues for our T1 circuit, shaping our usage the way we want. queue http-in bandwidth 25% cbq(borrow) queue http-out bandwidth 25% cbq(borrow, red) queue mail bandwidth 25% cbq(borrow) queue dns bandwidth 4% cbq(borrow) queue ftp bandwidth 20% cbq(borrow, red) queue misc bandwidth 1% cbq(borrow, default) #give NAT to our internal addresses nat on $ext_if from $int_net to any -> ($ext_if) #We want outbound FTP to work properly, so let's enable the #FTP proxy.  Be sure you have ftp-proxy running out of inetd(8)! rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #Redirect requests to our external IP address to the proper internal IP rdr on $ext_if proto tcp from any to $ext_ip port www -> $webserver port www rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $mailserver port smtp #Block everything first, and then explicitly allow only desirable #traffic. block in log all #We have incoming connections to our mail and web server. #Be sure to use the translated IP addresses here! #Using macros will ensure that you have the correct IP. pass in on $ext_if proto tcp from any to $webserver port www keep state queue http- in pass in on $ext_if proto tcp from any to $mailserver port smtp keep state queue mail #Allow our ftp-proxy program to connect back to the firewall! pass in on $ext_if inet proto tcp from any to $ext_ip user proxy keep state #The next rules cover traffic from inside the network, going out As #our client operating systems may be running some godforsaken #operating system with poor ISN selection, we'll use state modulation. #Remember, the last matching rule is attached to the packet #first, we set up the misc queue, where traffic will go if nothing #else fits better. People can use P2P programs if nothing more #important is running. pass out on $ext_if from $int_net to any queue misc #pass out on $ext_if from $int_net proto tcp to any port { www, https } modulate state queue http-out #pass out on $ext_if from $int_net proto { tcp, udp } to any port domain modulate state queue dns #pass out on $ext_if from $int_net proto tcp to any port { ftp, ftp-data } modulate state queue ftp #pass out on $ext_if from $mailserver proto tcp to any port smtp modulate state queue mail #lastly, catch all traffic bound for the local exterior network and #drop it in the big queue; basically unlimited bandwidth on the local #ethernet, after all! pass out on $ext_if from $int_net to $ext_net modulate state queue local #protect against spoofing antispoof for $int_if antispoof for $ext_if



Previous page
Table of content
Next page
Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298
Authors: Michael W. Lucas
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Absolute Beginner[ap]s Guide to Project Management
Image Processing with LabVIEW and IMAQ Vision
Mastering Delphi 7
Extending and Embedding PHP
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy