Em Qua, 2006-11-01 às 13:24 -0300, Bruno Henrique de Oliveira escreveu: > Boa tarde lista, > > Estou tentando montar meu primeiro firewall no FreeBSD, estou tão emocionado, > ficaria mais ainda se tivesse funcionado. Segui a documentação do handbook e > outras que encontrei na internet, com isso montei meu arquivo ipfw.rules e > apontei o rc.conf para ler o arquivo com a linha; > "firewall_type="/etc/ipfw.rules"", porém quando reinicio a maquina o firewall > não lê minhas regras. O comando; "ipfw list", continua mostrando a regra > padrão; > "65535 deny ip from any to any". >
# Firewall firewall_enable=YES firewall_type="/etc/mscbsd.rulles" firewall_logging="YES" unixmafia# cat /etc/mscbsd.rulles # Tuneis #pipe 1 config bw 128Kbit/s queue 10Kbytes #pipe 2 config bw 128Kbit/s queue 10Kbytes add 100 pass all from any to any via lo0 add 101 deny all from any to 127.0.0.0/8 add 102 deny ip from 127.0.0.0/8 to any add 200 deny log all from any to any frag #add 201 deny log ip from any to any not verrevpath in #add 202 deny log ip from any to any not antispoof in # Anti Nmap add 300 deny log tcp from any to any ipoptions ssrr,lsrr,rr add 310 deny log tcp from any to any tcpflags syn,fin add 320 deny log tcp from any to any tcpflags syn,rst add 400 deny log udp from any to any dst-port 7 add 401 deny log udp from any 7 to any # Stop RFC1918 nets on the outside interface add 500 deny all from any to 10.0.0.0/8 add 501 deny all from any to 172.16.0.0/12 #add 502 deny all from any to 192.168.0.0/16 add 505 allow all from me to me add 506 allow all from me to 192.168.0.0/16 137-139 add 507 allow all from 192.168.0.0/16 to me 137-139 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface add 550 deny all from any to 0.0.0.0/8 add 551 deny all from any to 169.254.0.0/16 add 552 deny all from any to 192.0.2.0/24 add 553 deny all from any to 224.0.0.0/4 add 554 deny all from any to 240.0.0.0/4 # Navegacao livre add 1000 check-state add 1001 allow all from me to any domain keep-state # Ati forca bruta add 1002 allow tcp from any to me 22 limit src-addr 1 # Saida de pacotes add 1005 allow all from me to any 20,21,22,23,53,80,110,153,443,631 keep-state add 1005 allow all from any 20,21,22,53,80,110,443 to me add 1006 allow all from me to any cvsup keep-state add 1009 allow all from 192.168.254.1 to me keep-state add 5000 allow log all from me to any 1-1024 keep-state add 5001 allow all from me to any 1863 keep-state #add 10000 pipe 1 tcp from me to any 1024-65000 #add 10000 pipe 2 tcp from any 1024-65000 to me add 60000 allow all from me to any keep-state add 65000 deny log all from any to me 1-1024 #add 65500 deny log tcp from any to any established #add 65501 deny log all from any to me add 65530 allow log logamount 50 all from any to any Essas são as regras basicas que uso aqui no meu Desktop , nem perdi tempo olhando muito , mas vc pode testar se seu script ta ok rodando na mão , pois qdo tem um erro nas regras ele para de procesar, tente na linha de comando : unixmafia# ipfw -f flush ; ipfw /etc/mscbsd.rulles claro que coloque o caminho de onde vc colocou sua regras []'s -- Marcello Costa BSD System Engineer unixmafia at yahoo dot com dot br FUG-BR #156 http://www.fug.com.br _______________________________________________________ Voc� quer respostas para suas perguntas? Ou voc� sabe muito e quer compartilhar seu conhecimento? Experimente o Yahoo! Respostas ! http://br.answers.yahoo.com/
------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd