[FUG-BR] Duvidas IPFW e Melhores Práticas

Bruno Torres Viana btviana em gmail.com
Segunda Dezembro 21 12:05:25 BRST 2009 

Senhores,

Nunca trabalhei com o IPFW e estou buscando alguns materiais na NET, todavia
queria compartilhar com quem tem "intimidade" com este firewall as melhores
práticas e como funcionam na integra para 1 LAN e duas WANS.  Segue como
está ficando aqui minha regra, caso alguém queira compartilhar:

Lembrando, ainda não está em produção

#####################################################################################################
#
FIREWALL                                                    #
#####################################################################################################
ipfw -q -f flush       # Delete all rules

#####################################################################################################
# VARIAVEIS DE
AMBIENTE
#
#####################################################################################################
wan_gvt="re2"                   # out interface
wan_ebt="re0"                   # out interface
lan_vva="re1"                   # in interface
cmd="ipfw -q add "              # build rule prefix
ks="keep-state"                 # just too lazy to key this each time

####################################################################################################
#
#
####################################################################################################
$cmd 00100 allow log ip from any to any via $lan_vva
$cmd 00101 allow log ip from any to any via $wan_gvt
$cmd 00102 allow log ip from any to any via $wan_ebt

#####################################################################################################
# VERIFICAÇÃO DE PACOTES NA REDE EXTERNA QUE SERIAM DE CLASSE
FECHADA                               #
#####################################################################################################
$cmd 00301 deny all from 172.16.0.0/12   to any in via $wan_ebt  #RFC 1918
private IP
$cmd 00302 deny all from 10.0.0.0/8      to any in via $wan_ebt  #RFC 1918
private IP
$cmd 00303 deny all from 127.0.0.0/8     to any in via $wan_ebt  #loopback
$cmd 00304 deny all from 0.0.0.0/8       to any in via $wan_ebt  #loopback
$cmd 00305 deny all from 169.254.0.0/16  to any in via $wan_ebt  #DHCP
auto-config
$cmd 00306 deny all from 192.0.2.0/24    to any in via $wan_ebt  #reserved
for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $wan_ebt  #Sun
cluster
$cmd 00308 deny all from 224.0.0.0/3     to any in via $wan_ebt  #Class D &
E multicast

#####################################################################################################
# BLOQUEIO DE PING NA PLACA
EXTERNA                                                                 #
#####################################################################################################
$cmd 01000 deny icmp from any to $wan_ebt in via $wan_ebt icmptypes 8
$cmd 01010 check-state
$cmd 01020 allow icmp from $wan_ebt to any out via $wan_ebt icmptypes 8 $ks
$cmd 01030 deny icmp from any to any

-- 
-------------------------------
Bruno Torres Viana



Todos nós somos ignorantes, porém em assuntos diferentes. Não seja ignorante
por opção!

Mais detalhes sobre a lista de discussão freebsd