[FUGSPBR] Firewall VPN

irado em hotpop.com irado em hotpop.com
Sex Set 17 00:55:09 BRT 2004 

Em Thu, 16 Sep 2004 08:55:44 -0300 (ART)
Roberto <bsd_linux2000 em yahoo.com.br>, conhecido consumidor de drogas
(McLixo e Coke) digitou estas besteiras:

> Liberar internet pra todas as maquinas atras do
> firewall;
> 
> Só preciso que meu firewall deixe passar a porta do
> ssh;
> 
> o resto pode bloquear tudo.
> 
> Enfim é esse o firewall que quero montar e nao estou
> conseguindo.
> 
> Obrigado

hmmmm...

bem, não é realmente difícil, uma vez que até eu consegui. O ideal
seria vc ter informado o que está usando, mas na suposição de que seja
o IPSEC, essas regras aqui devem ajudar (encontradas em um dos
inúmeros tutoriais por aí pelo mundo).

Eu mesmo nem o uso mais - mudei para ipf com os block-rules e regras
inteiramente dinâmicas, que acho bem mais fácil, mas enfim, isto aqui
já é um começo. Analise e modifique o necessário:

(nota: procure por isakmp e esp em /etc/services e /etc/protocols, pra
saber QUAIS as portas/serviços vc deve permitir no seu firewall)

############################
#
# Define your variables
#
oif="rl0"		#set to outside interface name
onwr="200.168.136.0/26"	#set to outside network range
oip="200.168.136.26"	#set to outside ip address
iif1="rl1"		#set to internal interface name
iif2="rl2"
inwr1="192.168.1.0/24"	#set to internal network range
inwr2="192.168.10.0/24" #set to internal network range
iip1="192.168.1.1"	#set to internal ip address
iip2="192.168.10.1"	#set to internal ip address
ns1="200.244.60.68"	#set to primary name server best if = oif
#ntp="i.j.k.l"		#set to ip of NTP server or leave as is

#
# End of required user input if you only intend to allow ssh
connections to# this box from the outside. If other services are
required, edit line 96# as necessary.
#
# Rules with descriptions
#
#
#	Force a flush of the current firewall rules before we reload
	$fwcmd -f flush

# 	zeroing counters
	$fwcmd -f zero 

#
#	Allow your loop back to work
	$fwcmd add allow all from any to any via lo0
#
#	Prevent spoofing of your loopback
	$fwcmd add deny log all from any to 127.0.0.0/8
#
#	Stop spoofing of your internal network range
	$fwcmd add deny log ip from $inwr1 to any in via $oif
	$fwcmd add deny log ip from $inwr2 to any in via $oif
#
#	Stop spoofing from inside your private ip range
	$fwcmd add deny log ip from not $inwr1 to any in via $iif1
	$fwcmd add deny log ip from not $inwr2 to any in via $iif2
#
#	Stop private networks (RFC1918) from entering the outside interface.
	$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
	$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
	$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
	$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
	$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
	$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
# 	Stop draft-manning-dsua-01.txt nets on the outside interface
	$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
	$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
	$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
	$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
	$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
	$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
	$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
	$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
	$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
	$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
#
#	Divert all packets through natd
echo "#	Divert all packets through natd"

	$fwcmd add divert natd all from any to any via $oif
#
#	Allow all established connections to persist (setup required
#	for new connections).
#	$fwcmd add allow log tcp from any to any established
#
#	Allow incoming requests to reach the following services:
#	To allow multiple services you may list them separated
#	by a coma, for example ...to $oip 22,25,110,80 setup
#	$fwcmd add allow tcp from any to $oip 22 setup
#
#	NOTE: you may have to change your client to passive or active mode
#		to get ftp to work once enabled, only ssh enabled by default.
#	21:ftp
#	22:ssh		enabled by default
#	23:telnet
#	25:smtp
#	110:pop
#	143:imap
#	80:http
#	443:ssl
#
#	Allow icmp packets for diagnostic purposes (ping traceroute)
#	you may wish to leave commented out.
#   NOTA IMPORTANTE: o traceroute NÃO FUNCIONA a partir de minha
mákina (interna) em FreeBSD, mas funciona em rwindows e Linux.	$fwcmd
add allow icmp from me to any icmptypes 8#
#	Allow required ICMP
	$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
#
#       permite consulta dns

	$fwcmd add allow udp from any 53 to any 53 out
#
#	Allow time update traffic
	$fwcmd add allow udp from $ntp 123 to $oip 123
#:
#	Checks packets against dynamic rule set below.
	$fwcmd add check-state
#
	$fwcmd add allow log tcp from any to me 22 in via rl1 keep-state
setup#	Allow any traffic from firewall ip to any going out the
#	external interface
	$fwcmd add allow log ip from $oip to any keep-state out via $oif
#   Allow all from lan 1 to lan 2 and back
        $fwcmd add allow all from 192.168.2.0/24 to 192.168.1.0/24
keep-state         $fwcmd add allow all from 192.168.1.0/24 to
192.168.2.0/24 keep-state #	Allow any traffic from local network
to any passing through the#	internal interface
	$fwcmd add allow log ip from $inwr1 to any keep-state via $iif1
	$fwcmd add allow log ip from $inwr2 to any keep-state via $iif2
#
#	Deny everything else
	$fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.



---

saudações,
irado furioso com tudo
100% Microsoft-free
Linux User 179402/FreeBSD BSD50853

Tudo o que Existe egressa do Ser e regressa ao Ser. O Ser é o
Insondável Tao. Das profundezas do Ser nascem todos os seres que
existem. O Ser, porém, é o abismo do Não-Existir.


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd