[FUG-BR] RES: IPFW-Exemplos

Marcos de Jesus Faria Fri, 24 Nov 2006 09:54:03 -0800

Boa Tarde Leandro,

Segue um exemplo real, mas MUITO cuidado ao colocar em produção, pois vc
precisa alterar a regra para as suas necessidades, caso contrário terá
problemas na inicialização e com os deny´s e allow´s em demasia.


Ai vai...

###############################################################

# FIREWALL DE CONTROLE DE ACESSO
# VERSAO: 1.0

###############################################################

# VARIAVEIS DE MEMORIA

iif="ed0"
eif="xl0"
inet="192.142.0.0/24"
IP_SSH="192.142.0.1, 192.142.0.2"

#!/bin/bash 
#
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush
#${fwcmd} add  1 deny all from any to any

############

        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add 50 divert natd all from any to any 
via ${natd_interface}
                fi
                ;;
        esac

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${eif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${eif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${eif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${eif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${eif}
${fwcmd} add deny all from any to 192.168.10.0/24 in via ${eif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${eif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${eif}

# Allow setup of any stream from us to the world
#${fwcmd} add pass all from ${enet} to any via ${eif} keep-state

# Redirect web traffic to the proxy.
${fwcmd} add set 20 allow tcp from me to any 80 keep-state
${fwcmd} add set 20 allow tcp from ${inet} to me 3128 in via ${iif}
${fwcmd} add set 20 fwd 127.0.0.1,3128 tcp from ${inet} to not 200.251.3.2
80 in via ${iif} 
${fwcmd} add set 20 deny log tcp from any to me 3128

# Allow ICMP 
${fwcmd} add pass icmp from any to any icmptypes 8 keep-state 
${fwcmd} add pass icmp from any to any icmptypes 0 keep-state 

# Allow access to out HTTPS
${fwcmd} add pass tcp from any to any 443

# NEGA E LIBERA SSH
${fwcmd} add deny log tcp from any to any 22 in via ${eif} keep-state
${fwcmd} add pass tcp from me to any 22 via ${eif} keep-state
${fwcmd} add pass tcp from $IP_SSH to me 22 via ${iif} keep-state
${fwcmd} add pass tcp from me to any 22 via ${iif} keep-state
${fwcmd} add reset log tcp from any to any 22

# Let the rest of internal interface alone.
${fwcmd} add pass all from any to any via ${iif}

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow access to our DNS
${fwcmd} add pass tcp from any to any 53 setup
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any

# Allow access to our WWW
${fwcmd} add pass tcp from any to any 80 setup keep-state
${fwcmd} add pass tcp from any to any 110 setup keep-state
${fwcmd} add pass tcp from any to any 25 setup keep-state

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
${fwcmd} add 65534 deny log all from any to any
 





-----Mensagem original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome
de Suprema Informática Ltda
Enviada em: sexta-feira, 24 de novembro de 2006 15:44
Para: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"
Assunto: [FUG-BR] IPFW-Exemplos

Gente boa,


quero saber se alguém tem algum exemplo de firewall com tudo fechado em
ipfw, e com algumas excessões para algumas portas,


algum exemplo corriqueiro, algo do dia a dia

leandro
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

[FUG-BR] RES: IPFW-Exemplos

Responder a