Boa Tarde Leandro, Segue um exemplo real, mas MUITO cuidado ao colocar em produção, pois vc precisa alterar a regra para as suas necessidades, caso contrário terá problemas na inicialização e com os deny´s e allow´s em demasia.
Ai vai... ############################################################### # FIREWALL DE CONTROLE DE ACESSO # VERSAO: 1.0 ############################################################### # VARIAVEIS DE MEMORIA iif="ed0" eif="xl0" inet="192.142.0.0/24" IP_SSH="192.142.0.1, 192.142.0.2" #!/bin/bash # if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush #${fwcmd} add 1 deny all from any to any ############ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${eif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${eif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${eif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${eif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${eif} ${fwcmd} add deny all from any to 192.168.10.0/24 in via ${eif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${eif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${eif} # Allow setup of any stream from us to the world #${fwcmd} add pass all from ${enet} to any via ${eif} keep-state # Redirect web traffic to the proxy. ${fwcmd} add set 20 allow tcp from me to any 80 keep-state ${fwcmd} add set 20 allow tcp from ${inet} to me 3128 in via ${iif} ${fwcmd} add set 20 fwd 127.0.0.1,3128 tcp from ${inet} to not 200.251.3.2 80 in via ${iif} ${fwcmd} add set 20 deny log tcp from any to me 3128 # Allow ICMP ${fwcmd} add pass icmp from any to any icmptypes 8 keep-state ${fwcmd} add pass icmp from any to any icmptypes 0 keep-state # Allow access to out HTTPS ${fwcmd} add pass tcp from any to any 443 # NEGA E LIBERA SSH ${fwcmd} add deny log tcp from any to any 22 in via ${eif} keep-state ${fwcmd} add pass tcp from me to any 22 via ${eif} keep-state ${fwcmd} add pass tcp from $IP_SSH to me 22 via ${iif} keep-state ${fwcmd} add pass tcp from me to any 22 via ${iif} keep-state ${fwcmd} add reset log tcp from any to any 22 # Let the rest of internal interface alone. ${fwcmd} add pass all from any to any via ${iif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow access to our DNS ${fwcmd} add pass tcp from any to any 53 setup ${fwcmd} add pass udp from any to any 53 ${fwcmd} add pass udp from any 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to any 80 setup keep-state ${fwcmd} add pass tcp from any to any 110 setup keep-state ${fwcmd} add pass tcp from any to any 25 setup keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ${fwcmd} add 65534 deny log all from any to any -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Suprema Informática Ltda Enviada em: sexta-feira, 24 de novembro de 2006 15:44 Para: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)" Assunto: [FUG-BR] IPFW-Exemplos Gente boa, quero saber se alguém tem algum exemplo de firewall com tudo fechado em ipfw, e com algumas excessões para algumas portas, algum exemplo corriqueiro, algo do dia a dia leandro ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd