[FUGSPBR] implementar firewall

Renato Botelho renato em galle.com.br
Qui Abr 24 18:14:32 BRT 2003 

como esta o seu rc.conf?
deveria estar + ou - assim

firewall_enable="YES"
firewall_TYPE="SIMPLE"

natd_enable="YES"
natd_interface="fxp0"

onde fxp0 eh a sua interface externa, que pode ser rl0, ed0, xl0......

tenta isso, se nao funcionar manda o seu rc.conf  pra gente dar uma olhada

[]s

Renato
----- Original Message ----- 
From: "Ali Faiez Taha" <aftaha em cirp.usp.br>
To: "lista usuários FreeBSD" <fugspbr em fugspbr.org>
Sent: Thursday, April 24, 2003 3:15 PM
Subject: [FUGSPBR] implementar firewall


> Srs.
>
> Gostaria de implementar um Firewall com o FreeBSD4.8
> O tipo que pretendo é o SIMPLE (no /etc/rc.firewall)
> A rede interna tem IPs 192.168.0.0
>
> Compilei o Kernel com as seguintes opções:
>
> options         IPFIREWALL
> options         IPFIREWALL_VERBOSE
> options         IPFIREWALL_VERBOSE_LIMIT=100
> options         IPDIVERT
>
> As máquinas da rede interna são simplesmente Clientes RWINDOWS.
> A máquina que está Internet só vai fornecer acesso SSH e WEBMIN.
>
> Estou com o seguinte problema :
>
>  - As máquinas da rede interna (192.168.0.0) não conseguem acesso à rede
> externa.
> Não conseguem acesso WWW, SSH, etc.
>
> Configurações:
>
> 1 - Estou usando o modo SIMPLE no /etc/rc.firewall
>
> 2 - O arquivo /etc/rc.conf (parcial) está assim :
>
> sysctl net.inet.ip.forwarding=1
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="SIMPLE"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags=" "
>
> 3 - O arquivo /etc/rc.firewall está assim :
> --------------------------------------------------------------------------
-
>
>  # set these to your outside interface network and netmask and ip
>         oif="ed0"
>         onet="A.B.C.0"
>         omask="255.255.254.0"
>         oip="A.B.C.100"
>
>         # set these to your inside interface network and netmask and ip
>         iif="xl0"
>         inet="192.168.0.0"
>         imask="255.255.255.0"
>         iip="192.168.0.1"
>
>         setup_loopback
>
>         # Stop spoofing
>         ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
>         ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
>
>         # Stop RFC1918 nets on the outside interface
>         ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
>         ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
>         ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
>
>         # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
>         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
> class E)
>         # on the outside interface
>         ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
>         ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
>         ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
>         ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
>         ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
>
>         # Network Address Translation.  This rule is placed here
> deliberately
>         # so that it does not interfere with the surrounding
> address-checking
>         # rules.  If for example one of your internal LAN machines had
> its IP
>         # address set to 192.0.2.1 then an incoming packet for it after
> being
>         # translated by natd(8) would match the `deny' rule above.
> Similarly
>         # an outgoing packet originated from it before being translated
> would
>         # match the `deny' rule below.
>         case ${natd_enable} in
>         [Yy][Ee][Ss])
>         if [ -n "${natd_interface}" ]; then
>         ${fwcmd} add divert natd all from any to any via
> ${natd_interface}
>                 fi
>                 ;;
>         esac
>
>  # Stop RFC1918 nets on the outside interface
>         ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
>         ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
>         ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
>
>         # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
>         # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
> class E)
>         # on the outside interface
>         ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
>         ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
>         ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
>         ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
>         ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
>
>         # Allow TCP through if setup succeeded
>         ${fwcmd} add pass tcp from any to any established
>         ${fwcmd} add pass tcp from any to ${oip} 22 setup
>         ${fwcmd} add pass all from 192.168.0.0/24 to any via {oif}
>
>         # Allow IP fragments to pass through
> #       ${fwcmd} add pass all from any to any frag
>
>         # Allow setup of incoming ftp
> #        ${fwcmd} add pass tcp from any to ${oip} 20 setup
> #        ${fwcmd} add pass tcp from any 20 to ${oip} 1023-65535
> #        ${fwcmd} add pass tcp from any to ${oip} 21 setup
>
>         # Allow setup of incoming ssh
>         ${fwcmd} add pass tcp from any to ${oip} 22 setup
>
> # COLOQUEI ESTAS REGRAS#
>      # Allow setup of outgoing ssh
>         ${fwcmd} add pass tcp from ${inet} to ${oip} 22
>         ${fwcmd} add pass udp from ${inet} to ${oip} 22
>         ${fwcmd} add pass tcp from ${iip} to ${inet}:${imask} 22
>         ${fwcmd} add pass udp from ${iip} to ${inet}:${imask} 22
>         ${fwcmd} add pass tcp from ${inet}:${imask} 22 to ${oip}
>         ${fwcmd} add pass udp from ${inet}:${imask} 22 to ${oip}
>         ${fwcmd} add pass tcp from ${inet}:${imask} 22 to ${onet}
>         ${fwcmd} add pass udp from ${inet}:${imask} 22 to ${onet}
>
>         # Allow setup of incoming telnet
> #        ${fwcmd} add pass tcp from any to ${oip} 23 setup
>
>         # Allow setup of incoming email
> #        ${fwcmd} add pass tcp from any to ${oip} 25 setup
>
>         # Allow access to our DNS
> #        ${fwcmd} add pass tcp from any to ${oip} 53 setup
> #       ${fwcmd} add pass udp from any to ${oip} 53
> #        ${fwcmd} add pass udp from ${oip} 53 to any
> # Allow access to our WWW
> #        ${fwcmd} add pass tcp from any to ${oip} 80 setup
>         ${fwcmd} add pass tcp from any to ${oip} 10000 setup
>
>         # Reject&Log all setup of incoming connections from the outside
>        ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
>         # Allow setup of any other TCP connection
>         ${fwcmd} add pass tcp from any to any setup
>
>         # Allow access to our DNS
> #        ${fwcmd} add pass tcp from any to ${oip} 53 setup
> #        ${fwcmd} add pass udp from any to ${oip} 53
> #        ${fwcmd} add pass udp from ${oip} 53 to any
>
>         # Allow NTP queries out in the world
> #       ${fwcmd} add pass udp from ${oip} to any 123 keep-state
>
>         # Allow udp traceroute e talk alem do traceroute
>         ${fwcmd} add pass udp from any to ${onet}:${omask} 33434-33689
>         ${fwcmd} add pass udp from any to ${onet}:${omask} 518
>         ${fwcmd} add pass udp from any 518 to ${onet}:${omask}
>
> --------------------------------------------------------------------------
>
> PERGUNTAS :
>
> 1 - O que ou qual tipo de regra é necessário para que a ede interna
> tenha acesso a serviços SSH de redes com IPs válidos ?
>
> 2 - Não estou conseguindo ver os logs do Firewall. O que falta para ver
> os logs mostrarem o que acontece ? O que tem que ser modificado no
> Kernel ?
>
>
> p. enquanto é só.
>
> agradeço a toda ajuda...
> _______________________________________________________________
> Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>

_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd