[FUG-BR] IPFW VS SMTP e POP

Bruno Torres Viana btviana em gmail.com
Terça Janeiro 5 12:41:50 BRST 2010 

ifconfig (re1=LAN re2=WAN)

re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:1d:7d:0d:25:80
        inet 192.168.25.4 netmask 0xffffff00 broadcast 192.168.25.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:1d:0f:be:93:e5
        inet 192.168.1.64 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


netstat -nr
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS        11    17360    re2
127.0.0.1          link#4             UH          0       12    lo0
192.168.1.0/24     link#3             U           0      241    re2
192.168.1.64       link#3             UHS         0      114    lo0
192.168.25.0/24    link#2             U           4    30202    re1
192.168.25.4       link#2             UHS         0        0    lo0


ipfw show
00005 63367 23159498 allow log ip from any to any via re1
00010    32     1920 allow log ip from any to any via lo0
00015     0        0 check-state
00110     0        0 allow log tcp from any to 192.168.1.1 dst-port 53 out
via re2 setup keep-state
00111   412    42103 allow log udp from any to 192.168.1.1 dst-port 53 out
via re2 keep-state
00112   409    20724 allow log tcp from 192.168.25.23 to any out via re2
setup keep-state
00113     0        0 allow log tcp from 192.168.25.23 to any out via re0
setup keep-state
00200 29123 13793875 allow log tcp from any to any dst-port 80 out via re2
setup keep-state
00220  1048   431997 allow log tcp from any to any dst-port 443 out via re2
setup keep-state
00230     0        0 allow log tcp from any to any dst-port 25 via re2 setup
keep-state
00231     0        0 allow log tcp from any to any dst-port 110 via re2
setup keep-state
00240     0        0 allow log tcp from me to any out via re0 setup uid root
keep-state
00250     0        0 allow log icmp from any to any out via re0 keep-state
00251     8      672 allow log icmp from any to any out via re2 keep-state
00260     0        0 allow log tcp from any to any dst-port 37 out via re2
setup keep-state
00280     0        0 allow log tcp from any to any dst-port 22 out via re2
setup keep-state
00281     0        0 allow log tcp from any to any dst-port 22 out via re0
setup keep-state
00290     0        0 allow log tcp from any to any dst-port 43 out via re2
setup keep-state
00299  1754   124034 deny log ip from any to any out via re2
00300     0        0 deny log ip from any to any out via re0
00301     0        0 deny log ip from 172.16.0.0/12 to any in via re0
00302     0        0 deny log ip from 10.0.0.0/8 to any in via re0
00303     0        0 deny log ip from 127.0.0.0/8 to any in via re0
00304     0        0 deny log ip from 0.0.0.0/8 to any in via re0
00305     0        0 deny log ip from 169.254.0.0/16 to any in via re0
00306     0        0 deny log ip from 192.0.2.0/24 to any in via re0
00307     0        0 deny log ip from 204.152.64.0/23 to any in via re0
00308     0        0 deny log ip from 224.0.0.0/3 to any in via re0
00310    29     1044 deny log icmp from any to any in via re2
00310    20     1280 deny log icmp from any to any in via re0
00315     0        0 deny log tcp from any to any dst-port 113 in via re2
00315     0        0 deny log tcp from any to any dst-port 113 in via re0
00320     0        0 deny log tcp from any to any dst-port 137 in via re2
00321     0        0 deny log tcp from any to any dst-port 138 in via re2
00322     0        0 deny log tcp from any to any dst-port 139 in via re2
00323     0        0 deny log tcp from any to any dst-port 81 in via re2
00324     0        0 deny log tcp from any to any dst-port 137 in via re0
00325     0        0 deny log tcp from any to any dst-port 138 in via re0
00326     6      296 deny log tcp from any to any dst-port 139 in via re0
00327     0        0 deny log tcp from any to any dst-port 81 in via re0
00330     0        0 deny log ip from any to any frag in via re2
00331     0        0 deny log ip from any to any frag in via re0
00332   286    14488 deny log tcp from any to any established in via re2
00333     0        0 deny log tcp from any to any established in via re2
00410     0        0 allow log tcp from any to me dst-port 22 in via re2
setup limit src-addr 2
00411     0        0 allow log tcp from any to me dst-port 22 in via re0
setup limit src-addr 2
00420     0        0 allow log tcp from any to me dst-port 23 in via re2
setup limit src-addr 2
00499   631    30860 deny log ip from any to any in via re2
00999    20     1317 deny log ip from any to any
65535     0        0 deny ip from any to any



2010/1/5 Nilson <nilson em forge.com.br>

> 2010/1/5 Bruno Torres Viana <btviana em gmail.com>:
> > Nilson,
> >
> > re1 é minha LAN, acredito que este pacote tem que passar mesmo...
> > Em fim, não tenho muita intimidade com ipfw se puder ajudar..
>
> Claro, por acaso nao tem chance de ser esse bloqueio na porta 25
> que os provedores estao implantando devido a determinacao do CGI-br?
>
> Mande mais dados:
>
> # ifconfig
> # netstat -nr
> # ipfw show
>
> --
> Nilson
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



-- 
-------------------------------
Bruno Torres Viana
Analista de Segurança da Informaçao
Contato: (27) 8823-0751


Todos nós somos ignorantes, porém em assuntos diferentes. Não seja ignorante
por opção!

Mais detalhes sobre a lista de discussão freebsd