[CDBUG-talk] Self hosting, DNS

Jonathan Franks jonathan.franks at gmail.com
Wed Nov 23 15:50:21 EST 2005 

Hi all,

Well, I've decided to run a little web server at home. I registered a domain
name, and I'm working on setting up a dmz. So my first question pertains to
pf....

I am assuming that all I really need to do is:

1. pass port 80 traffic on my external interface
2. rdr this traffic to a host in my DMZ
3. block traffic from the DMZ to my internal network
4. allow stateful connections to the hosts in the dmz from my internal
network

I'm including my pf.conf file at the end of this post, any critique is
welcome, as I'm learning as I go here. Patrick - you should recognize some
of this :). The two commented lines (rdr and nat) are the beginnings of my
attempt to implement this. I assume that I need to add a block rule to
address item 3 above, and a pass rule for item 4. If anyone is in the mood,
I'd love some critiques / suggestions on the best way to accomplish what I'm
trying to do.

Once it's up, I will probably add queueing on the external interface as
well, since my upload rate is only 256k. It is unlikely to be a high traffic
site, though, so one thing at a time.




My second question is whether anyone has any experience, thoughts or
opinions on this service:

http://soa.granitecanyon.com/

I am running DNS internally, but I'm not really ready to put up public
servers yet, and this seems like a decent alternative. Besides, they're
running FreeBSD, so that's one thing in their favor in my book  :-).


Thanks !

-Jonathan





My pf.conf file:



ext_if="xl0"
int_if="xl1"
dmz_if="xl2"

tcp_services="{ 22 }"
icmp_types="echoreq"

priv_nets="{ xxx.xxx.xxx.xxx/24, xxx.xxx.xxx.xxx/24 }"

table <adservers> persist file "/etc/pftables/adservers"
table <crackers> persist file "/etc/pftables/crackers"


set block-policy drop
set state-policy if-bound
set loginterface $ext_if


scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat on $ext_if from $dmz_if:network to any -> ($ext_if)
#rdr on $ext_if proto tcp from any to any port www -> xxx.xxx.xxx.xxx
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021


block all
pass quick on lo0 all
block drop in log  quick on $ext_if from $priv_nets to any
block drop in log quick on $ext_if from any to $priv_nets

block return log quick from any to <adservers>
block drop log quick from <adservers> to any
block drop in log quick on $ext_if from <crackers> to any

pass in log on $ext_if inet proto tcp from any to ($ext_if) \
 port $tcp_services flags S/SA modulate state \
 (max-src-conn 5, max-src-conn-rate 4 / 60, overload <crackers> \
flush global)


pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state

pass in log inet proto icmp all icmp-type $icmp_types keep state

pass in log on $int_if from $int_if:network to any keep state

pass out log on $int_if from any to $int_if:network keep state

pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20051123/d58d72f0/attachment.html>

More information about the CDBUG-talk mailing list