[FUGSPBR] pf ajuda!
P Neves
patneves em megamail.pt
Qua Dez 8 15:39:19 BRST 2004
Olá!
Estou a precisar de uma ajudazinha!
Que ruleset do pf.conf devo ter para me proteger
minimamente. Instalei o freebsd 5.3 numa maq para fazer
de nat e firewall. Usei a ruleset do www.open-pt.org,
mas não sei se está bem ou não. O ftp n funciona :( e o
dc++ (usa a porta 1412) também não.
tenho net por cabo (dhcp)!
Já vi inumeras confs, todas elas diferentes e tou a
ficar desesperado!
# definir variaveis
ext_if = "rl0"
int_if = "rl1"
tcp_services = "{ 22, 80 }"
icmp_types = "{ 8, 11 }"
internal_net="192.168.0.0/24"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12, 10.0.0.0/8 }"
# opcoes
set loginterface $ext_if
scrub in all
# nat
nat on $ext_if from $internal_net to any -> ($ext_if)
# Filtering: The good stuff.
# tudo o que venha a chegar block
block in on $ext_if all
# stuff to block but not log because it's irritating
block in quick on $ext_if proto {tcp, udp} from any to
any port {67, 68}
block in quick on $ext_if proto {tcp, udp} from any
port {67, 68} to any
# loopback stuff is good!
pass in quick on lo0 all
# because these should never appear on a public
internet interface
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets
# allow our services
pass in on $ext_if inet proto tcp from any to any port
$tcp_services flags S/SA\
FR keep state
pass in inet proto icmp all icmp-type $icmp_types keep
state
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state
#pass out on $ext_if proto tcp all modulate state flags
S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
# Immediate blocks
# fuzz any "nmap" attempt
block in log quick on $ext_if inet proto tcp from any
to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any
to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any
to any flags /SFRA
# dont allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255
Obrigado.
Paulo
-------------------------------------------------
Email Enviado utilizando o serviço MegaMail
_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd