[FUG-BR] Ipfw

Marcello Costa unixmafia em yahoo.com.br
Quarta Novembro 1 14:35:59 BRST 2006 

Em Qua, 2006-11-01 às 13:24 -0300, Bruno Henrique de Oliveira escreveu:
> Boa tarde lista,
> 
> Estou tentando montar meu primeiro firewall no FreeBSD, estou tão emocionado,
> ficaria mais ainda se tivesse funcionado. Segui a documentação do handbook e
> outras que encontrei na internet, com isso montei meu arquivo ipfw.rules e
> apontei o rc.conf para ler o arquivo com a linha;
> "firewall_type="/etc/ipfw.rules"", porém quando reinicio a maquina o firewall
> não lê minhas regras. O comando; "ipfw list", continua mostrando a regra padrão;
> "65535 deny ip from any to any".
> 

# Firewall
firewall_enable=YES
firewall_type="/etc/mscbsd.rulles"
firewall_logging="YES"

unixmafia# cat /etc/mscbsd.rulles
# Tuneis
#pipe 1 config bw 128Kbit/s queue 10Kbytes
#pipe 2 config bw 128Kbit/s queue 10Kbytes

add 100 pass all from any to any via lo0
add 101 deny all from any to 127.0.0.0/8
add 102 deny ip from 127.0.0.0/8 to any

add 200 deny log all from any to any frag
#add 201 deny log ip from any to any not verrevpath in
#add 202 deny log ip from any to any not antispoof in

# Anti Nmap
add 300 deny log tcp from any to any ipoptions ssrr,lsrr,rr
add 310 deny log tcp from any to any tcpflags syn,fin
add 320 deny log tcp from any to any tcpflags syn,rst

add 400 deny log udp from any to any dst-port 7
add 401 deny log udp from any 7 to any

# Stop RFC1918 nets on the outside interface
add 500 deny all from any to 10.0.0.0/8
add 501 deny all from any to 172.16.0.0/12
#add 502 deny all from any to 192.168.0.0/16
add 505 allow all from me to me
add 506 allow all from me to 192.168.0.0/16 137-139
add 507 allow all from 192.168.0.0/16 to me 137-139

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
add 550 deny all from any to 0.0.0.0/8
add 551 deny all from any to 169.254.0.0/16
add 552 deny all from any to 192.0.2.0/24
add 553 deny all from any to 224.0.0.0/4
add 554 deny all from any to 240.0.0.0/4

# Navegacao livre
add 1000 check-state
add 1001 allow all from me to any domain keep-state

# Ati forca bruta
add 1002 allow tcp from any to me 22 limit src-addr 1

# Saida de pacotes
add 1005 allow all from me to any 20,21,22,23,53,80,110,153,443,631
keep-state
add 1005 allow all from any 20,21,22,53,80,110,443 to me
add 1006 allow all from me to any cvsup keep-state

add 1009 allow all from 192.168.254.1 to me keep-state

add 5000 allow log all from me to any 1-1024 keep-state

add 5001 allow all from me to any 1863 keep-state

#add 10000 pipe 1 tcp from me to any 1024-65000
#add 10000 pipe 2 tcp from any 1024-65000 to me

add 60000 allow all from me to any keep-state

add 65000 deny log all from any to me 1-1024

#add 65500 deny log tcp from any to any established
#add 65501 deny log all from any to me
add 65530 allow log logamount 50 all from any to any

Essas são as regras basicas que uso aqui no meu Desktop , nem perdi
tempo olhando muito , mas vc pode testar se seu script ta ok rodando na
mão , pois qdo tem um erro nas regras ele para de procesar, tente na
linha de comando :

unixmafia# ipfw -f flush ; ipfw /etc/mscbsd.rulles

claro que coloque o caminho de onde vc colocou sua regras

[]'s


-- 
Marcello Costa
BSD System Engineer
unixmafia at yahoo dot com dot br
FUG-BR #156 
http://www.fug.com.br


	

	
		
_______________________________________________________ 
Você quer respostas para suas perguntas? Ou você sabe muito e quer compartilhar seu conhecimento? Experimente o Yahoo! Respostas !
http://br.answers.yahoo.com/

Mais detalhes sobre a lista de discussão freebsd