Pessoal, sempre utilizei o IPFilter no FreeBSD pra montar meus firewalls, mas agora estou comecando a estudar o PF, pois me parece ser muito bom. Sempre que montava um firewall em ipfilter, eu rodava o nessus pra verificar a seguranca, e sempre estava muito bem configurado, e o nessus na maioria das vezes nao encontrava nenhum problema de seguranca, e muitas vezes, o nessus ate pensava que o IP nao existia ou coisa parecida, pois ele dava uma mensagem que nao era possivel encontrar o host. Pois bem, agora com o PF, nao estou acertando nas configuracoes de firewall, pois o nessus sempre encontra furos. Ja li varias vezes o documento oficial do PF no site do OpenBSD, ja olhei todos os arquivos dentro de /usr/share/examples/pf/ no FreeBSD, e tambem varias dicas na internet, mas ate agora nada resolveu meu problema.
No firewall de teste que estou montando aqui, tenho rodando pra rede Externa apenas o SSH, que no meu caso roda na porta 50.000, e pra rede interna o Apache (porta 80) por causa dos relatorios do Sarg e o Squid na porta 3128. E dentro dos arquivos squid.conf e httpd.conf, esta configurado pra rodar no ip da rede local. exemplo: 192.168.0.1:3128(squid) 192.168.0.1:80(apache). quando executo o comando sockstat ele mostra que esta rodando apenas na interface da rede local mesmo. Mas pelo nessus, ele diz que a porta 80 esta livre e com furos. Tenho redes separadas aqui na empresa onde trabalho, e varios links de internet separados tambem, entao quando utilizo o nessus pra fazer esses testes, tenho certesa de que nao estou testando pela rede interna LAN. As configuracoes deste firewall sao exatamente iguais as dos firewall que montava usando IPFilter, a unica coisa que esta diferente agora e que uso o PF. Abaixo colocarei algumas informacoes dos arquivos de configuracao que tenho neste novo firewall, e tambem o relatorio que o nessus me da quando rodo o teste. Se alguem puder me apontar onde estou errando, ou como melhorar a seguranca deste firewall, agradeco desde ja a ajuda!!! ------------------ RELATORIO NESSUS -------------------------- 201.24.73.106 1 Open Ports, 11 Notes, 2 Warnings, 1 Holes. http (80/tcp) The proxy, allows everyone to perform requests against arbitrary ports, like 'GET http://cvs.nessus.org:110'. This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 25 (sendmail) using your proxy. In addition to that, your proxy may be used to perform attacks against other networks. Solution reconfigure your proxy so that it only accepts connections against non-dangerous ports (> 1024). Risk Factor : High Plugin ID : 10193 Synopsis : The remote web proxy server accepts requests. Description : The remote web proxy accepts unauthenticated HTTP requests from the Nessus scanner. By routing requests through the affected proxy, a user may be able to gain some degree of anonymity while browsing web sites, which will see requests as originating from the remote host itself rather than the user's host. Solution Reconfigure the remote proxy so that it only accepts requests coming from inside your network. Risk Factor : Low / CVSS Base Score : 2.3 (AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N) Plugin ID : 10195 The proxy accepts gopher:// requests. Gopher is an old network protocol which predates HTTP and is nearly unused today. As a result, gopher-compatible software is generally less audited and more likely to contain security bugs than others. By making gopher requests, an attacker may evade your firewall settings, by making connections to port 70, or may even exploit arcane flaws in this protocol to gain more privileges on this host (see the attached CVE id for such an example). Solution: reconfigure your proxy so that it refuses gopher requests. Risk Factor : Medium CVE : CVE-2002-0371 BID : 4930 Other references : OSVDB:3004 Plugin ID : 11305 Port is open Plugin ID : 11219 A web server is running on this port Plugin ID : 10330 An HTTP proxy is running on this port Plugin ID : 10330 The GET method revealed those proxies on the way to this web server : HTTP/1.0 hercules-mmc.redesuperauto.com.br:3128 (squid/2.6.STABLE10) Plugin ID : 11040 Synopsis : A web server is running on the remote host. Description : This plugin attempts to determine the type and the version of the remote web server. Risk Factor : None Plugin output : The remote web server type is : squid/2.6.STABLE10 Plugin ID : 10107 Synopsis : Some information about the remote HTTP configuration can be extracted. Description : This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem Solution: None. Risk Factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : Protocol version : HTTP/1.0 SSL : no Pipelining : no Keep-Alive : no Options allowed : (Not implemented) Headers : ------------- PF.CONF ----------------- external = "xl0" internal = "xl1" nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \ 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, \ 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \ 255.255.255.255/32 }" set loginterface $external set skip on lo0 scrub in all nat on $external from 192.168.0.0/24 to any -> $external block all antispoof quick for $internal inet #--- Loopback @ 127.0.0.1/8 ----------------------------#### pass out quick on lo0 from any to any pass in quick on lo0 from any to any #--- Rede Local @ 192.168.0.1/24 --------------------#### pass out quick on $internal from any to any keep state pass in quick on $internal from any to any keep state #--- Link BrT/ADSL @ 201.24.73.106/29 ------------------------#### block out log quick on $external from any to $nonroutable pass out quick on $external from any to any keep state pass in log quick on $external inet proto tcp from any to any port 50000 flags S/SA keep state block in quick on $external proto tcp from any to any port = 113 block in log quick on $external inet proto icmp from any to any icmp-type redir block in log quick on $external from $nonroutable to any block return-rst in log quick on $external inet proto tcp from any to any flags S/SA block return-icmp in log quick on $external inet proto udp from any to any block return-icmp(net-unr) in log quick proto udp from any to any block return block in log quick on $external all ------- SYSCTL.CONF ------------------ # SISTEMA security.bsd.see_other_uids=0 kern.coredump=0 kern.fallback_elf_brand=3 kern.ipc.shm_use_phys=1 kern.ipc.maxsockbuf=4000000 kern.ipc.somaxconn=8192 kern.maxfiles=65536 kern.maxfilesperproc=32768 vfs.vmiodirenable=1 # IP net.inet.ip.check_interface=1 net.inet.ip.random_id=1 net.inet.ip.forwarding=1 net.inet.ip.process_options=0 # ICMP net.inet.icmp.maskrepl=0 # TCP net.inet.tcp.rfc3042=1 net.inet.tcp.rfc3390=1 net.inet.tcp.rfc1323=1 net.inet.tcp.delayed_ack=0 net.inet.tcp.keepidle=300000 net.inet.tcp.keepintvl=150 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 net.inet.tcp.syncookies=1 net.inet.tcp.blackhole=2 net.inet.tcp.log_in_vain=1 net.inet.tcp.sack.enable=1 net.inet.tcp.inflight.enable=0 net.inet.tcp.path_mtu_discovery=0 # UDP net.inet.udp.blackhole=1 net.inet.udp.log_in_vain=1 net.inet.udp.recvspace=65536 # LOCAL net.local.stream.recvspace=65536 net.local.stream.sendspace=65536 --------- SOCKSTAT -------------- USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS suporte sshd 3637 3 tcp4 201.24.73.106:50000 201.24.210.30:50824 suporte sshd 3637 4 stream -> ?? root sshd 3635 3 tcp4 201.24.73.106:50000 201.24.210.30:50824 root sshd 3635 5 stream -> ?? www httpd 904 3 tcp4 192.168.0.1:80 *:* www httpd 903 3 tcp4 192.168.0.1:80 *:* www httpd 902 3 tcp4 192.168.0.1:80 *:* www httpd 901 3 tcp4 192.168.0.1:80 *:* www httpd 900 3 tcp4 192.168.0.1:80 *:* root bandwidthd 891 4 dgram -> /var/run/logpriv root bandwidthd 890 4 dgram -> /var/run/logpriv root bandwidthd 889 4 dgram -> /var/run/logpriv root bandwidthd 887 4 dgram -> /var/run/logpriv uucp duende 867 4 dgram -> /var/run/log bind maradns 866 5 udp4 127.0.0.1:53 *:* bind maradns 866 6 udp4 192.168.0.1:53 *:* root httpd 787 3 tcp4 192.168.0.1:80 *:* clamav clamd 778 4 stream /var/run/clamav/clamd root sshd 773 3 tcp4 201.24.73.106:50000 *:* root sshd 773 4 tcp4 192.168.0.1:50000 *:* squid ncsa_auth 770 0 stream -> ?? squid squid 758 5 udp4 *:56839 *:* squid ncsa_auth 765 1 stream -> ?? squid ncsa_auth 764 0 stream -> ?? squid ncsa_auth 764 1 stream -> ?? squid ncsa_auth 763 0 stream -> ?? squid ncsa_auth 763 1 stream -> ?? Se precisarem de mais informacoes e so falar! Obrigado! Cleyton Bertolim. ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
