[FUGSPBR] Firewall close !
Gilliatt
gilliatt em unsigned.eti.br
Qui Jun 26 14:25:20 BRT 2003
Salve pessoal,
Já tenho algumas regras de firewall rodando. Soh que quando eu implementei o firewall criei regras open-close.
Só que hoje com a necessidade de ter um firewall close-open e real, pois temos usuários na rede utilizando kaaza e outros p2p. Então comecei a reescrever o firewall, estou monitorando as conexões com tcpdump e fazedo as regras.
Soh que quando eu levanto as regras as conexões dos clientes ficam bloqueadas. Gostaria de saber o que estou fazendo de errado quando estou criando as regras... se alguem puder me ajudar...
Ficarei muito agradecido :)
[]'s
Gilliatt
#!/bin/sh
fwcmd="/sbin/ipfw -q"
fwclean="/sbin/ipfw -f"
email="49.12"
${fwclean} -f flush
# Paramentros para interface de output
oif="xl0"
onet="200.207.10.6/26"
omask="27"
oip="200.206.102.66"
# Paramentros para interface de input
iif="fxp0"
inet="192.168.48.0/24"
inetalias="192.168.49.0/24"
imask="32"
iip="192.168.0.1"
iipalias="192.168.1.1"
# Regra para liberar trafego em loopback
${fwcmd} 10 add pass ip from any to any via lo0
${fwcmd} 20 add deny ip from any to 127.0.0.0/8
${fwcmd} 30 add deny ip from 127.0.0.0/8 to any
# Regra para Spoofing
${fwcmd} 40 add deny ip from ${inet} to any in via ${oif}
${fwcmd} 50 add deny ip from ${onet} to any in via ${iif}
${fwcmd} 60 add deny ip from ${inetalias} to any in vi ${oif}
# Regras para ataque de redes reservadas de acordo com RFC
${fwcmd} 70 add deny ip from any to 10.0.0.0/8 via ${oif}
${fwcmd} 80 add deny ip from any to 172.16.0.0/12 via ${oif}
${fwcmd} 90 add deny ip from any to 192.168.0.0/16 via ${oif}
# Regra para liberar a saida nas portas altas 1024:65535
${fwcmd} 100 add pass tcp from ${oip} 1024:65535 to any out via ${oif}
${fwcmd} 110 add pass tcp from ${iip} 1024:65535 to any out via ${iif}
${fwcmd} 120 add pass tcp from ${iipalias} 1024:65535 to any out via ${iif}
${fwcmd} 100 add pass udp from ${oip} 1024:65535 to any out via ${oif}
${fwcmd} 110 add pass udp from ${iip} 1024:65535 to any out via ${iif}
${fwcmd} 120 add pass udp from ${iipalias} 1024:65535 to any out via ${iif}
# Lantando regras para liberar checagem de email Jkexpress..."
${fwcmd} add pass tcp from ${web} 110 to ${oip} in via ${oif}
${fwcmd} add pass tcp from ${web} 25 to ${oip} in via ${oif}
#Libera checagem de email Jkexpress para os hosts
for client in ${email}
do
${fwcmd} add pass tcp from 192.168.${client} to ${web} 110 in via ${iif}
${fwcmd} add pass tcp from ${web} 110 to 192.168.${client} out via ${iif}
${fwcmd} add pass tcp from 192.168.${client} to ${web} 25 in via ${iif}
${fwcmd} add pass tcp from ${web} 25 to 192.168.${client} out via ${iif}
done
########## Abilitando o NAT total ###########################################################
echo "Abilitando o NAT nas regras de Firewall..."
${fwcmd} add divert natd all from any to any via ${oif}
######### Aceitando conexao ja estabelicidas ################################################
${fwcmd} add pass tcp from any to any established
######### Aceitando Fragmentos ##############################################################
${fwcmd} add pass all from any to any frag
######## Aceitando trafego DNS rede interna e Internet ######################################
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
${fwcmd} add pass tcp from any to ${web} 53 setup
${fwcmd} add pass udp from any to ${web} 53
${fwcmd} add pass udp from ${web} 53 to any
${fwcmd} add pass tcp from any to ${iip} 53 setup
${fwcmd} add pass udp from any to ${iip} 53
${fwcmd} add pass udp from ${iip} 53 to any
${fwcmd} add pass tcp from any to ${iipalias} 53 setup
${fwcmd} add pass udp from any to ${iipalias} 53
${fwcmd} add pass udp from ${iipalias} 53 to any
${fwcmd} 65000 add deny all from any to any
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd