[FUGSPBR] RE: SSH Travando

William David Armstrong bio em bsd-unix.com.br
Qua Nov 26 11:36:14 BRST 2003 

## Check State
 ${fwcmd} add check-state
${fwcmd} add allow tcp from ${linkip} to any out via ${linkint} setup
keep-state
 ${fwcmd} add allow all from any to any out via ${linkip} keep-state

#########  tenta  tirar esta  e testar
####${fwcmd} add deny tcp from any to ${linkip} established
############

## SSH
${fwcmd} add allow tcp from ${fastlane} to ${linkip} 22  in via fxp0

## Permite qq pacote de conexao TCP ja estabelecida ####
${fwcmd} add allow tcp from any to any established


você tem 2 regars que  se contradizem    uma que nega as conexoes já  
pre- estabelecidas  e  outra  que  libera   não  vejo  o pq  disto

um exemplo que eu uso em um cliente ..

$IPFW add check-state

#ICMP
$IPFW add allow icmp from any to any icmptypes 3,4,8,11 keep-state
$IPFW add deny icmp from any to any keep-state

# NTP
$IPFW add allow udp from 200.144.121.33 123 to any 123 keep-state

# DNS
$IPFW add allow udp from 192.168.1.97 53 to any keep-state
$IPFW add allow udp from 200.203.191.8 53 to any keep-state
$IPFW add allow udp from 200.193.136.60 53 to any keep-state

################################################################
#
#protecoes  rede externa

$IPFW add allow tcp from any to 192.168.200.1 22,80 in via ed1 setup 
keep-state
$IPFW add deny log tcp from any to 192.168.200.1 0-1023 in via ed1 
keep-state

$IPFW add allow udp from any to 192.168.200.1 53,123 in via ed1 keep-state
$IPFW add deny log udp from any to 192.168.200.1 0-1023 in via ed1 
keep-state

$IPFW add allow tcp from any to 192.168.200.1 48000-55000 in via ed1 
keep-state
$IPFW add allow udp from any to 192.168.200.1 48000-55000 in via ed1 
keep-state

$IPFW add allow ip from any to any out via ed1 keep-state

#
#############################################################

############################################################
#
# rede interna

# nega acesso  da rede externa  direto  a rede interna
$IPFW add deny log ip from not 192.168.1.96/27 to any in via ed0 keep-state

############################################
# Libera  micro  Full-Duplex
$IPFW add count  all from any to 192.168.1.100/32
$IPFW add pipe 7 all from any to 192.168.1.100/32

$IPFW add count  all from 192.168.1.100/32 to any
$IPFW add pipe 8 all from 192.168.1.100/32 to any
$IPFW pipe 7 config bw 100Mbit/s
$IPFW pipe 8 config bw 100Mbit/s

##########################################
# Traffic Shaper   Rede 192.168.1.96/27
$IPFW add count  all from 192.168.1.96/27 to any
$IPFW add pipe 13 all from 192.168.1.96/27 to any

$IPFW add count all from any to 192.168.1.96/27
$IPFW add pipe 14 all from any to 192.168.1.96/27
$IPFW pipe 13 config mask dst-ip 0x000000ff bw 10Mbit/s queue 8Kbytes
$IPFW pipe 14 config mask src-ip 0x000000ff bw 10Mbit/s queue 8Kbytes


$IPFW add allow tcp from 192.168.1.96/27 to any in via ed0 setup keep-state
$IPFW add allow udp from 192.168.1.96/27 to any in via ed0 keep-state

$IPFW add allow all from 192.168.1.96/27 to any out via ed0 keep-state


#$IPFW add allow all from any to 192.168.1.96/27 out via ed0 keep-state
#$IPFW add allow all from 192.168.1.96/27 to any in via ed0 keep-state

#
############################################################
############################################################
# nega  tudo
#$IPFW add 65435 allow all from any to any keep-state
$IPFW add 65433 deny log tcp from any to any keep-state
$IPFW add 65434 deny log udp from any to any keep-state
$IPFW add 65435 deny log all from any to any keep-state
$IPFW zero 65535



-- 
-=-=-=-=-=-=-=-=-=-

     William David Armstrong
 .Administrator Bio Systems Security.

http://biohazard.kicks-ass.org:8080/
bio (at) bsd-unix.com.br   bio_wolf (at) yahoo.com
ICQ 102537476     ICQ 27550645


_______________________________________________________________
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd