[FUGSPBR] pf ajuda!

William Armstrong biosystems em gmail.com
Qua Dez 8 15:43:02 BRST 2004 

esperimente tirar a  rede 192.168.0.0/16 da priv net e teste novamente


On Wed, 08 Dec 2004 17:39:19 +0000, P Neves <patneves em megamail.pt> wrote:
> Olá!
> Estou a precisar de uma ajudazinha!
> Que ruleset do pf.conf devo ter para me proteger
> minimamente. Instalei o freebsd 5.3 numa maq para fazer
> de nat e firewall. Usei a ruleset do www.open-pt.org,
> mas não sei se está bem ou não. O ftp n funciona :( e o
> dc++ (usa a porta 1412) também não.
> 
> tenho net por cabo (dhcp)!
> 
> Já vi inumeras confs, todas elas diferentes e tou a
> ficar desesperado!
> 
> # definir variaveis
> ext_if = "rl0"
> int_if = "rl1"
> tcp_services = "{ 22, 80 }"
> icmp_types = "{ 8, 11 }"
> internal_net="192.168.0.0/24"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16,
> 172.16.0.0/12, 10.0.0.0/8 }"
> 
> # opcoes
> set loginterface $ext_if
> scrub in all
> 
> # nat
> nat on $ext_if from $internal_net to any -> ($ext_if)
> 
> # Filtering: The good stuff.
> # tudo o que venha a chegar block
> block in on $ext_if all
> 
> # stuff to block but not log because it's irritating
> block in quick on $ext_if proto {tcp, udp} from any to
> any port {67, 68}
> block in quick on $ext_if proto {tcp, udp} from any
> port {67, 68} to any
> 
> # loopback stuff is good!
> pass in quick on lo0 all
> 
> # because these should never appear on a public
> internet interface
> block in  quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
> 
> # allow our services
> pass in on $ext_if inet proto tcp from any to any port
> $tcp_services flags S/SA\
> FR keep state
> 
> pass in inet proto icmp all icmp-type $icmp_types keep
> state
> pass in on $int_if from $internal_net to any keep state
> pass out on $int_if from any to $internal_net keep state
> 
> #pass out on $ext_if proto tcp all modulate state flags
> S/SAFR
> pass out on $ext_if proto { udp, icmp } all keep state
> 
> # Immediate blocks
> # fuzz any "nmap" attempt
> block in log quick on $ext_if inet proto tcp from any
> to any flags FUP/FUP
> block in log quick on $ext_if inet proto tcp from any
> to any flags SF/SFRA
> block in log quick on $ext_if inet proto tcp from any
> to any flags /SFRA
> 
> # dont allow anyone to spoof non-routeable addresses
> block in log quick on $ext_if from $priv_nets to any
> block out log quick on $ext_if from any to $priv_nets
> 
> # silently drop broadcasts (cable modem noise)
> block in quick on $ext_if from any to 255.255.255.255
> 
> Obrigado.
> 
> Paulo
> 
> -------------------------------------------------
> Email Enviado utilizando o serviço MegaMail
> _______________________________________________________________
> Para enviar um novo email para a lista: fugspbr em fugspbr.org
> Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
> 


-- 
-=-=-=-=-=-=-=-=-=-
William David Armstrong
Bio Systems Security.
ICQ 10253747 MSN bio__wolf em hotmail.com
_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd