[FUGSPBR] IPFW alguns detalhes e analise das regras

Leonardo leonardo em webqi.com.br
Qua Out 31 17:21:31 BRST 2001


Ola,

Estou usando o freebsd 4.4 a 1 mes, configurei o ipfw e ta
tudo funcionando, so o ftp-download para a rede interna a partir
da maquina que ta com o natd ta lento, de resto ta tudo funcionado.
So que esta aparecendo de vez em quando uma mensagem no
console:

Oct 31 17:06:42 chat natd[196]: failed to write packet back (Permission
denied)
Oct 31 17:06:42 chat natd[196]: failed to write packet back (Permission
denied)

Imagino que deve ser resultante de alguma regra que nao defini muito bem
para
o ipfw, portanto estou enviando abaixo o meu script para os colegas que
tiverem
experiencia opinarem sobre o mesmo me dando dicas do que posso melhorar e/ou
corrigir.

Tem uma regra ai no script que eu ate comentei com "FODE O NATD" pq se ativo
a mesma o natd nao funciona, pela faixa de ip que trata ate imagino o pq.

Entao quem tiver experiencia com firewall/natd e puder me ajudar a melhorar
ou
ate corrigir o esquema abaixo eu agradeco de antemao.


---------------------------------------------------------------------
# rc.ipfw - Firewall Rules

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
        source_rc_confs
elif [ -r /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

# Firewall program
fwcmd="/sbin/ipfw"

# Outside interface network and netmask and ip
oif="rl0"
onet="200.2x9.228.0"
omask="255.255.252.0"
oip="200.2x9.228.64"

# Inside interface network and netmask and ip
iif="rl1"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

# My ISP's DNS servers
dns1="200.2x9.228.x6"
dns2="200.2x9.228.x5"

# Flush previous rules
${fwcmd} -f flush

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
# FODE O NATD !!! ${fwcmd} add deny all from any to 192.168.0.0/16 via
${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

# Network Address Translation.  This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.  If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above.  Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.

# PUS ESSAS DUAS ABAIXO PARA VER SE O FTP PRA REDE INTERNA
# FICA RAPIDO, MAS NAO ADIANTOU
${fwcmd} add 140 pass all from any to ${inet}:${imask} via ${iif}
${fwcmd} add 141 pass all from 200.2x9.228.38 to ${inet}:${imask} via ${iif}

${fwcmd} add 150 divert natd all from any to any via ${natd_interface}

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
# FODE O NATD !!! ${fwcmd} add deny all from 192.168.0.0/16 to any via
${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

### TCP RULES

# MEU SERVIDOR DE APLICACAO-----------------------------------
${fwcmd} add pass tcp from any to any 20000-23000 in via ${oif} setup

# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup

# SMTP - Allow access to sendmail for incoming e-mail
#${fwcmd} add pass tcp from any to any 25 setup

# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
#${fwcmd} add pass tcp from 200.2x9.228.32:255.255.255.248 to any 21 in via
${oif} setup
${fwcmd} add pass tcp from 200.2x9.228.38 to any 21 in via ${oif} setup
${fwcmd} add pass tcp from 192.168.0.2 to any 21 in via ${oif} setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup

# SSH Login - Allow & Log all incoming
${fwcmd} add pass tcp from any to any 22 in via ${iif} setup
${fwcmd} add deny log tcp from any to any 22 in via ${oif} setup

# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup

# Reject & Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup


### UDP RULES

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}

# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif}

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}

# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}

### ICMP RULES

# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}

# Deny the rest of them
${fwcmd} add deny icmp from any to any


### MISCELLANEOUS REJECT RULES

# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}

# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}

# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}


----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.



Mais detalhes sobre a lista de discussão freebsd