[FUGSPBR] dmz (problemas)

Márcio Luciano Donada marcio em lists.slchapeco.org
Dom Abr 25 22:29:35 BRT 2004 

Certo Giovanni, mas o servidor passa de um período estável para um período
crítico, derepente, e da mesma maneira que você acessava o site antes,
apartir desse momento de instabilidade acontece esse erro na web (claro,
Access denied, tranquilo, pensei da mesma forma que você) ai o que me
intriga é que se você reiniciar o servidor, ok, tudo volta a ficar estável.
Tavez para um maior entendimento seria interessante eu postar para a lista o
firewall e o meu kernel, para maiores esclarecimentos, não sei se o pessoal
da moderação irá liberar, mas desde já agradeço a colaboração dos colegas da
lista. Nessa máquina tenho os serviços de e-mail (25/110) para apenas 1
dominio, web (com 3 dominios), ftp para apenas 5 usuários (de um dominio
apenas) e webmail.

Bom o kernel está assim:
machine      i386
cpu             I686_CPU
ident           ALFAWEBMAIL
maxusers        0

# This allows you to actually store this configuration file into
# the kernel binary itself, where it may be later read by saying:
#    strings -aout -n 3 /kernel | grep ^___ | sed -e 's/^___//' > MYKERNEL
#
options         INCLUDE_CONFIG_FILE     # Include this file in kernel
options         MATH_EMULATE            #Support for x87 emulation
options         INET                    #InterNETworking
options         INET6                   #IPv6 communications protocols
options         FFS                     #Berkeley Fast Filesystem
options         FFS_ROOT                #FFS usable as root device [keep
this!]
options         SOFTUPDATES             #Enable FFS soft updates support
options         NFS                     #Network Filesystem
options         NFS_ROOT                #NFS usable as root device, NFS
required
options         MSDOSFS                 #MS DOS File System
options         CD9660                  #ISO 9660 Filesystem
options         CD9660_ROOT             #CD-ROM usable as root, CD9660
required
options         PROCFS                  #Process filesystem
options         COMPAT_43               #Compatible with BSD 4.3 [KEEP
THIS!]
options         UCONSOLE                #Allow users to grab the console
options         USERCONFIG              #boot -c editor
options         VISUAL_USERCONFIG       #visual boot -c editor
options         KTRACE                  #ktrace(1) support
options         SYSVSHM                 #SYSV-style shared memory
options         SYSVMSG                 #SYSV-style message queues
options         SYSVSEM                 #SYSV-style semaphores
options         P1003_1B                #Posix P1003_1B real-time extentions
options         _KPOSIX_PRIORITY_SCHEDULING
options         _KPOSIX_VERSION=199309L
options         ICMP_BANDLIM            #Rate limit bad replies
options         KBD_INSTALL_CDEV        #install a CDEV entry in /dev
options         USER_LDT                #allow user-level control of i386
ldt
options         NETSMB                  #SMB/CIFS requester
options         NETSMBCRYPTO            #encrypted password support for SMB
options         LIBMCHAIN               #mbuf management library
options         LIBICONV                #Kernel side iconv library

device          isa
device          eisa
device          pci

# Floppy drives
device          fdc0    at isa? port IO_FD1 irq 6 drq 2
device          fd0     at fdc0 drive 0
device          fd1     at fdc0 drive 1

# ATA and ATAPI devices
device          ata0    at isa? port IO_WD1 irq 14
device          ata1    at isa? port IO_WD2 irq 15
device          ata
device          atadisk                 # ATA disk drives
device          atapicd                 # ATAPI CDROM drives
device          atapifd                 # ATAPI floppy drives
device          atapist                 # ATAPI tape drives
options         ATA_STATIC_ID           #Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc0 at isa? port IO_KBD
device          atkbd0  at atkbdc? irq 1
device          psm0    at atkbdc? irq 12

device          vga0    at isa?

# splash screen/screen saver
pseudo-device   splash

# syscons is the default console driver, resembling an SCO console
device          sc0     at isa?

# Floating point support - do not disable.
device          npx0    at nexus? port IO_NPX irq 13

# Power management support (see LINT for more options)
device          apm0    at nexus? disable flags 0x20 # Advanced Power
Management

# Serial (COM) ports
device          sio0    at isa? disable port IO_COM1 flags 0x10 irq 4
device          sio1    at isa? disable port IO_COM2 irq 3
device          sio2    at isa? disable port IO_COM3 irq 5
device          sio3    at isa? disable port IO_COM4 irq 9

# Parallel port
device          ppc0    at isa? irq 7
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da


# PCI Ethernet NICs.
device          miibus
device          sis             # Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices - the number indicates how many units to allocated.
pseudo-device   loop            # Network loopback
pseudo-device   ether           # Ethernet support
pseudo-device   tun             # Packet tunnel.
pseudo-device   ppp     1       # Kernel PPP
pseudo-device   pty     128     # Pseudo-ttys (telnet etc)
pseudo-device   md              # Memory "disks"
#pseudo-device   gif     4       # IPv6 and IPv4 tunneling
#pseudo-device   faith   1       # IPv6-to-IPv4 relaying (translation)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device pcm
pseudo-device   bpf             #Berkeley packet filter
options         QUOTA           # Quota de disco - home
options         NMBCLUSTERS=65536
options         MSGBUF_SIZE=1048576
options         SYSVMSG
options         MSGMNB=16384
options         MSGMNI=41
options         MSGSEG=2049
options         MSGSSZ=64
options         MSGTQL=512
options         SHMSEG=16
options         SHMMNI=32
options         SHMMAX=2097152
options         SHMALL=4096
options         IPDIVERT
options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPFIREWALL_VERBOSE
options         IPFW2
options         RANDOM_IP_ID
options         TCP_DROP_SYNFIN
options         IPSTEALTH
options         INCLUDE_CONFIG_FILE
options         IPFIREWALL_VERBOSE
options         DUMMYNET
options         SC_NORM_ATTR="(FG_WHITE|BG_BLACK)"
options         SC_NORM_REV_ATTR="(FG_YELLOW|BG_BLUE)"
options         SC_KERNEL_CONS_ATTR="(FG_BLUE|BG_BLACK)"
options         SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_BLUE)"
options         SC_DISABLE_REBOOT
options         SC_NO_HISTORY
options         SC_DISABLE_DDBKEY


e o firewall, dessa forma:

#
# Por Marcio Luciano Donada
#
/sbin/ipfw -fq flush > /dev/null
fwcmd="/sbin/ipfw"

oif="sis0"
oip="200.x.x.38"
rede_ex="200.x.x.0/30"
ip_admin="200.x.x.121"
ip_admin2="200.x.x.34"
ip_admin3="200.x.x.82"
dns1="200.x.x.34"
dns2="200.x.x.35"

#Loopback
${fwcmd} add 100 pass log all from any to any via lo0
${fwcmd} add 200 deny log all from any to 127.0.0.0/8
${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any

# Block RFC 1918 networks
${fwcmd} add deny log udp from any to ${oip} 188,520
${fwcmd} add unreach port udp from any to ${oip} 33435-33524
${fwcmd} add deny tcp from any to me 3306 in via ${oif}
${fwcmd} add deny udp from any to me 3306 in via ${oif}
${fwcmd} add count tcp from any to any 25 in via ${oip}
${fwcmd} add count tcp from any 25 to any in via ${oip}
${fwcmd} add count tcp from any to any 110 in via ${oip}
${fwcmd} add count tcp from any 110 to any in via ${oip}
${fwcmd} add deny tcp from any to any 79,27665,31337,32771,32773,32774,6667
${fwcmd} add deny udp from any to any 79,27665,31337,32771,32773,32774,6667
${fwcmd} add deny ip from me to any in recv ${oif}
${fwcmd} add allow tcp from me to any setup keep-state
${fwcmd} add allow udp from me to any keep-state

${fwcmd} add 6000 check-state
${fwcmd} add pass log tcp from ${oip} to any out via ${oif} setup keep-state
${fwcmd} add pass log all from any to any out via ${oif} keep-state
${fwcmd} add allow log tcp from any to ${oip} established

${fwcmd} add pass log udp from any to ${oip} 20 keep-state
${fwcmd} add pass log tcp from any to ${oip} 21 setup keep-state
${fwcmd} add pass log udp from any to ${oip} 21 keep-state
${fwcmd} add pass tcp from ${ip_admin},${ip_admin2},${ip_admin3} to ${oip}
22 setup keep-state
${fwcmd} add pass log tcp from any to ${oip} 25 setup keep-state
${fwcmd} add pass log udp from any to ${oip} 53 keep-state
${fwcmd} add pass log tcp from any to ${oip} 53 setup keep-state
${fwcmd} add pass log tcp from any to ${oip} 80 setup keep-state
${fwcmd} add pass log tcp from any to ${oip} 110 setup keep-state
${fwcmd} add pass log tcp from any to ${oip} 443 setup keep-state
${fwcmd} add pass log udp from any to ${oip} 443 keep-state
${fwcmd} add pass ip from ${dns1} to any
${fwcmd} add pass ip from any to ${dns1}
${fwcmd} add pass tcp from any to any 1024-65000
${fwcmd} add pass udp from any to any 1024-65000
${fwcmd} add pass log udp from any to ${dns1} keep-state
${fwcmd} add pass log udp from any to ${dns2} keep-state
${fwcmd} add pass log udp from ${dns1} to any keep-state
${fwcmd} add pass log udp from ${dns2} to any keep-state
${fwcmd} add pass log udp from ${oip} to any keep-state
${fwcmd} add pass icmp from any to ${oip} icmptype 0,3,8,11

Grato pela atenção,
[]'s
Márcio

_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd