Eu coloco as regras negando um monte de coisas apenas pra visualizar as
tentativas de conexões que casam com estas regras.
Pensei certo?
- Original Message -
From: "Tiago N. Sampaio" <[EMAIL PROTECTED]>
To: "Lista de discussao sobre FreeBSD"
Sent: Monday, April 24, 2006 12:43 PM
Subject: Re: [FUG-BR] IPFW não funciona por muito tempo
Dica: udp e icmp naum tem estados definidos, a sua regra de liberar
pacotes estabelecidos soh funciona pra tcp, pra funcionar icmp e udp,
coloca um keep-state no final da regra. (vi que vc tem algumas regras
liberando alguns pacotes icmp e udp)
E por que vc bloqueia um monte de coisas em cima, se seu fw e padrao deny?
Soh libera o que for permitido, e deixa o resto cair na ultima regra de
deny.
Abracos.
Tiago N. Sampaio
Armindo S. Gomes wrote:
> Claro!
>
> Assim está a minha rede:
>
>xxx.xxx.xxx.1
> xxx.xxx.xxx.3
> --| Roteador |--| Firewall(FreeBSD)
> |---| Switch |
>
> Aí vai:
>
> # set these to your network and netmask and ip
> net="xxx.xxx.xxx.0"
> mask="255.255.255.0"
> ip="xxx.xxx.xxx.3"
>
> dns1="xxx.xxx.xxx.38"
> dns2="xxx.xxx.xxx.34"
> dns3="xxx.xxx.xxx.60"
> dns4="xxx.xxx.xxx.3"
> dns5="200.20.94.50"
>
> setup_loopback
>
> # Impedindo redes nao-roteaveis RFC1918
> ${fwcmd} add deny all from any to 10.0.0.0/8
> ${fwcmd} add deny all from any to 172.16.0.0/12
> ${fwcmd} add deny all from any to 192.168.0.0/16
> ${fwcmd} add deny all from 10.0.0.0/8 to any
> ${fwcmd} add deny all from 172.16.0.0/12 to any
> ${fwcmd} add deny all from 192.168.0.0/16 to any
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> ${fwcmd} add deny all from any to 0.0.0.0/8
> ${fwcmd} add deny all from any to 169.254.0.0/16
> ${fwcmd} add deny all from any to 192.0.2.0/24
> ${fwcmd} add deny all from any to 224.0.0.0/4
> ${fwcmd} add deny all from any to 240.0.0.0/4
> ${fwcmd} add deny all from 0.0.0.0/8 to any
> ${fwcmd} add deny all from 169.254.0.0/16 to any
> ${fwcmd} add deny all from 192.0.2.0/24 to any
> ${fwcmd} add deny all from 224.0.0.0/4 to any
> ${fwcmd} add deny all from 240.0.0.0/4 to any
>
> # Impede ataques DoS do virus SQL Slammer, Sapphire, Worm.SQL.Helkern.
> ${fwcmd} add deny udp from any to ${net}:${mask} 1434
>
> # Impede Pacotes NT
> ${fwcmd} add deny udp from any to ${net}:${mask} 137-139
>
> # Impede pacotes de BOOTP/DHCP e NETBIOS
> ${fwcmd} add deny udp from any to ${net}:${mask} 67
> ${fwcmd} add deny tcp from any to ${net}:${mask} 137-139
>
> # Para uso do Proxy Transparente
> ${fwcmd} add allow tcp from ${ip} to any
> ${fwcmd} add fwd 127.0.0.1,3128 tcp from ${net}:${mask} to any 80
>
> # Permite conexoes TCP ja estabelecidas
> ${fwcmd} add pass tcp from any to any established
>
> # Telefone IP
> ${fwcmd} add pass ip from any to xxx.xxx.xxx.36
> ${fwcmd} add pass ip from xxx.xxx.xxx.36 to any
>
> # Permite conexao a este firewall via SSH
> ${fwcmd} add pass tcp from xxx.xxx.xxx.8 to ${ip} 22 setup
> ${fwcmd} add pass tcp from xxx.xxx.xxx.38 to ${ip} 22 setup
> ${fwcmd} add pass tcp from xxx.xxx.xxx.60 to ${ip} 22 setup
> ${fwcmd} add deny tcp from any to ${ip} 22
>
> # Peemitir entrada de Correio Eletronico
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.34 25 setup
>
> # Permitir acesso ao DNS
> ${fwcmd} add pass udp from any to any 53 keep-state
>
> # Permite a transferencia de zona com o Guanabara
> ${fwcmd} add pass tcp from ${dns5} to ${dns1} 53 setup
>
> # Permite acesso aos servidores HTTP
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.34 80 setup
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.60 80 setup
>
> # Permite acesso aos servidores HTTPS
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.34 443 setup
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.60 443 setup
>
> # Permite acesso aos servidores FTP
> ${fwcmd} add pass tcp from any to xxx.xxx.xxx.59 20,21 setup
> ${fwcmd} add pass tcp from any 1024-65535 to xxx.xxx.xxx.59 2048-2148
>
> # Permite atualizacoes NTP
> ${fwcmd} add pass udp from any to any 123 keep-state
>
> # Bloquear iMesh versao 1
> ${fwcmd} add deny tcp from ${net}:${mask} to any 5000
>
> # Bloquear Napster
> ${fwcmd} add deny tcp from ${net}:${mask} to any
> 6699,,,,,
>
> # Bloquear MSN
> ${fwcmd} add deny tcp from any to any 1863
>
> # Bloquear IRC
> ${fwcmd} add deny tcp from