[FUGSPBR] implementar firewall
Ali Faiez Taha
aftaha em cirp.usp.br
Qui Abr 24 15:15:45 BRT 2003
Srs.
Gostaria de implementar um Firewall com o FreeBSD4.8
O tipo que pretendo é o SIMPLE (no /etc/rc.firewall)
A rede interna tem IPs 192.168.0.0
Compilei o Kernel com as seguintes opções:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
As máquinas da rede interna são simplesmente Clientes RWINDOWS.
A máquina que está Internet só vai fornecer acesso SSH e WEBMIN.
Estou com o seguinte problema :
- As máquinas da rede interna (192.168.0.0) não conseguem acesso à rede
externa.
Não conseguem acesso WWW, SSH, etc.
Configurações:
1 - Estou usando o modo SIMPLE no /etc/rc.firewall
2 - O arquivo /etc/rc.conf (parcial) está assim :
sysctl net.inet.ip.forwarding=1
gateway_enable="YES"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
natd_interface="xl0"
natd_flags=" "
3 - O arquivo /etc/rc.firewall está assim :
---------------------------------------------------------------------------
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="A.B.C.0"
omask="255.255.254.0"
oip="A.B.C.100"
# set these to your inside interface network and netmask and ip
iif="xl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had
its IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet originated from it before being translated
would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via
${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass all from 192.168.0.0/24 to any via {oif}
# Allow IP fragments to pass through
# ${fwcmd} add pass all from any to any frag
# Allow setup of incoming ftp
# ${fwcmd} add pass tcp from any to ${oip} 20 setup
# ${fwcmd} add pass tcp from any 20 to ${oip} 1023-65535
# ${fwcmd} add pass tcp from any to ${oip} 21 setup
# Allow setup of incoming ssh
${fwcmd} add pass tcp from any to ${oip} 22 setup
# COLOQUEI ESTAS REGRAS#
# Allow setup of outgoing ssh
${fwcmd} add pass tcp from ${inet} to ${oip} 22
${fwcmd} add pass udp from ${inet} to ${oip} 22
${fwcmd} add pass tcp from ${iip} to ${inet}:${imask} 22
${fwcmd} add pass udp from ${iip} to ${inet}:${imask} 22
${fwcmd} add pass tcp from ${inet}:${imask} 22 to ${oip}
${fwcmd} add pass udp from ${inet}:${imask} 22 to ${oip}
${fwcmd} add pass tcp from ${inet}:${imask} 22 to ${onet}
${fwcmd} add pass udp from ${inet}:${imask} 22 to ${onet}
# Allow setup of incoming telnet
# ${fwcmd} add pass tcp from any to ${oip} 23 setup
# Allow setup of incoming email
# ${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
# ${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass udp from any to ${oip} 53
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
# ${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 10000 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow access to our DNS
# ${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass udp from any to ${oip} 53
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow NTP queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Allow udp traceroute e talk alem do traceroute
${fwcmd} add pass udp from any to ${onet}:${omask} 33434-33689
${fwcmd} add pass udp from any to ${onet}:${omask} 518
${fwcmd} add pass udp from any 518 to ${onet}:${omask}
--------------------------------------------------------------------------
PERGUNTAS :
1 - O que ou qual tipo de regra é necessário para que a ede interna
tenha acesso a serviços SSH de redes com IPs válidos ?
2 - Não estou conseguindo ver os logs do Firewall. O que falta para ver
os logs mostrarem o que acontece ? O que tem que ser modificado no
Kernel ?
p. enquanto é só.
agradeço a toda ajuda...
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd