[FUGSPBR] pf ajuda!

P Neves patneves em megamail.pt
Qua Dez 8 15:39:19 BRST 2004 

Olá!
Estou a precisar de uma ajudazinha!
Que ruleset do pf.conf devo ter para me proteger
minimamente. Instalei o freebsd 5.3 numa maq para fazer
de nat e firewall. Usei a ruleset do www.open-pt.org,
mas não sei se está bem ou não. O ftp n funciona :( e o
dc++ (usa a porta 1412) também não.

tenho net por cabo (dhcp)!

Já vi inumeras confs, todas elas diferentes e tou a
ficar desesperado!

# definir variaveis
ext_if = "rl0"
int_if = "rl1"
tcp_services = "{ 22, 80 }"
icmp_types = "{ 8, 11 }"
internal_net="192.168.0.0/24"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12, 10.0.0.0/8 }"

# opcoes
set loginterface $ext_if
scrub in all

# nat
nat on $ext_if from $internal_net to any -> ($ext_if)

# Filtering: The good stuff.
# tudo o que venha a chegar block
block in on $ext_if all

# stuff to block but not log because it's irritating
block in quick on $ext_if proto {tcp, udp} from any to
any port {67, 68}
block in quick on $ext_if proto {tcp, udp} from any
port {67, 68} to any

# loopback stuff is good!
pass in quick on lo0 all

# because these should never appear on a public
internet interface
block in  quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

# allow our services
pass in on $ext_if inet proto tcp from any to any port
$tcp_services flags S/SA\
FR keep state

pass in inet proto icmp all icmp-type $icmp_types keep
state
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state

#pass out on $ext_if proto tcp all modulate state flags
S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state

# Immediate blocks
# fuzz any "nmap" attempt
block in log quick on $ext_if inet proto tcp from any
to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any
to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any
to any flags /SFRA

# dont allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255


Obrigado.

Paulo

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail
_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd