[FUG-BR] RES: IPFW-Exemplos
Marcos de Jesus Faria
marcos em pompom.com.br
Sexta Novembro 24 15:54:48 BRST 2006
Boa Tarde Leandro,
Segue um exemplo real, mas MUITO cuidado ao colocar em produção, pois vc
precisa alterar a regra para as suas necessidades, caso contrário terá
problemas na inicialização e com os deny´s e allow´s em demasia.
Ai vai...
###############################################################
# FIREWALL DE CONTROLE DE ACESSO
# VERSAO: 1.0
###############################################################
# VARIAVEIS DE MEMORIA
iif="ed0"
eif="xl0"
inet="192.142.0.0/24"
IP_SSH="192.142.0.1, 192.142.0.2"
#!/bin/bash
#
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
#${fwcmd} add 1 deny all from any to any
############
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any
via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${eif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${eif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${eif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${eif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${eif}
${fwcmd} add deny all from any to 192.168.10.0/24 in via ${eif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${eif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${eif}
# Allow setup of any stream from us to the world
#${fwcmd} add pass all from ${enet} to any via ${eif} keep-state
# Redirect web traffic to the proxy.
${fwcmd} add set 20 allow tcp from me to any 80 keep-state
${fwcmd} add set 20 allow tcp from ${inet} to me 3128 in via ${iif}
${fwcmd} add set 20 fwd 127.0.0.1,3128 tcp from ${inet} to not 200.251.3.2
80 in via ${iif}
${fwcmd} add set 20 deny log tcp from any to me 3128
# Allow ICMP
${fwcmd} add pass icmp from any to any icmptypes 8 keep-state
${fwcmd} add pass icmp from any to any icmptypes 0 keep-state
# Allow access to out HTTPS
${fwcmd} add pass tcp from any to any 443
# NEGA E LIBERA SSH
${fwcmd} add deny log tcp from any to any 22 in via ${eif} keep-state
${fwcmd} add pass tcp from me to any 22 via ${eif} keep-state
${fwcmd} add pass tcp from $IP_SSH to me 22 via ${iif} keep-state
${fwcmd} add pass tcp from me to any 22 via ${iif} keep-state
${fwcmd} add reset log tcp from any to any 22
# Let the rest of internal interface alone.
${fwcmd} add pass all from any to any via ${iif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to our DNS
${fwcmd} add pass tcp from any to any 53 setup
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to any 80 setup keep-state
${fwcmd} add pass tcp from any to any 110 setup keep-state
${fwcmd} add pass tcp from any to any 25 setup keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
${fwcmd} add 65534 deny log all from any to any
-----Mensagem original-----
De: freebsd-bounces em fug.com.br [mailto:freebsd-bounces em fug.com.br] Em nome
de Suprema Informática Ltda
Enviada em: sexta-feira, 24 de novembro de 2006 15:44
Para: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"
Assunto: [FUG-BR] IPFW-Exemplos
Gente boa,
quero saber se alguém tem algum exemplo de firewall com tudo fechado em
ipfw, e com algumas excessões para algumas portas,
algum exemplo corriqueiro, algo do dia a dia
leandro
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Mais detalhes sobre a lista de discussão freebsd