[FUG-BR] Bloqueio de Portas + PF

Fabiano (BiGu) bigu em grupoheringer.com.br
Terça Abril 24 17:00:50 BRT 2007


Opa Cristiano,

Valeu pela dica, funcionou beleza!!!

Cristiano Maynart Pereira escreveu:
> Fabiano,
>
>
> Adiciona o "keep state" ao final de cada regra de "pass":
> pass in quick log proto { tcp udp } from any to $rede_1 port $portas keep state
>
>
> Ou libera o retorno dos pacotes:
> pass in quick log proto { tcp udp } from any port $portas to $rede_1 port > 1024
>
>
>
> Cristiano Maynart Pereira
>
>  
>
>   
>> -----Original Message-----
>> From: freebsd-bounces em fug.com.br 
>> [mailto:freebsd-bounces em fug.com.br] On Behalf Of Fabiano (BiGu)
>> Sent: terça-feira, 24 de abril de 2007 11:50
>> To: "Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"
>> Subject: Re: [FUG-BR] Bloqueio de Portas + PF
>>
>> Opa Cristiano, ja tentei dessas duas maneiras...e nada,
>>
>> o log mostra exatamente o block da rule 0 ...
>>
>> abaixo:
>>
>> 3. 001561 rule 0/0(match): block in on fxp1: 170.66.52.12.443 >
>> x.x.x.x.1924: S 2300128873:2300128873(0) ack 1883772933 win 
>> 49640 <mss 1460,nop,nop,sackOK> 6. 003653 rule 0/0(match): 
>> block in on fxp1: 170.66.52.12.443 >
>> x.x.x.x.1924: S 2350589401:2350589401(0) ack 1883772933 win 
>> 49640 <mss 1460,nop,nop,sackOK> 14. 032887 rule 0/0(match): 
>> block in on fxp1: 170.66.52.12.443 >
>> x.x.x.x.1925: S 2483462810:2483462810(0) ack 462237647 win 
>> 49640 <mss 1460,nop,nop,sackOK> 2. 986055 rule 0/0(match): 
>> block in on fxp1: 170.66.52.12.443 >
>> x.x.x.x.1925: S 2512858784:2512858784(0) ack 462237647 win 
>> 49640 <mss 1460,nop,nop,sackOK>
>>
>> e o mais interessante as regras estao la, carregadinhas:
>>
>> gateway# pfctl -s rules |grep https
>> pass in quick on fxp1 inet proto tcp from any to 
>> 189.3.221.0/26 port = https pass in quick on fxp1 inet proto 
>> udp from any to 189.3.221.0/26 port = https pass in quick on 
>> fxp1 inet proto tcp from 189.3.221.0/26 to any port = https 
>> pass in quick on fxp1 inet proto udp from 189.3.221.0/26 to 
>> any port = https pass out quick on fxp1 inet proto tcp from 
>> any to 189.3.221.0/26 port = https pass out quick on fxp1 
>> inet proto udp from any to 189.3.221.0/26 port = https pass 
>> out quick on fxp1 inet proto tcp from 189.3.221.0/26 to any 
>> port = https pass out quick on fxp1 inet proto udp from 
>> 189.3.221.0/26 to any port = https
>>
>>
>> Abracos
>>
>> Cristiano Maynart Pereira escreveu:
>>     
>>> Experimente colocar virgulas entre as portas:
>>>
>>> portas="{ 80, 22, 25 }"
>>>
>>> Ou entao colocar as portas direto na regra:
>>>
>>> $pass in quick log proto { tcp udp } from any to $rede_1 port { 80, 
>>> 22, 25 }
>>>
>>>
>>> Se mandar os logs de bloqueio eh melhor.
>>>
>>>
>>> _________________________________________
>>> Cristiano Maynart Pereira
>>>  
>>>
>>>   
>>>       
>>>> -----Original Message-----
>>>> From: freebsd-bounces em fug.com.br
>>>> [mailto:freebsd-bounces em fug.com.br] On Behalf Of Fabiano (BiGu)
>>>> Sent: terça-feira, 24 de abril de 2007 09:12
>>>> To: freebsd em fug.com.br
>>>> Subject: [FUG-BR] Bloqueio de Portas + PF
>>>>
>>>> Ae lista,
>>>>
>>>>     To com um negocio aqui que está me intrigando...
>>>>
>>>> montei meu pf.conf com a politica de block in e block out
>>>>
>>>> montei uma lista com algumas portas que irei liberar para uma 
>>>> determinada rede:
>>>>
>>>> rede_1 = "x.x.x.x/x"
>>>> portas="{ 80 22 25 53 110 143 443 3128 3389 5000 5900 }"
>>>>
>>>> E fiz as seguinte regras:
>>>>
>>>> $pass in quick log proto { tcp udp } from any to $rede_1 \
>>>>        port $portas
>>>> $pass in quick log proto { tcp udp } from $rede_1 to any \
>>>>        port $portas
>>>> $pass out quick log proto { tcp udp } from any to $rede_1 \
>>>>        port $portas
>>>> $pass out quick log proto { tcp udp } from $rede_1 to any \
>>>>        port $portas
>>>>
>>>>
>>>> Teoricamente, o trafego nessas portas para essa rede deveria 
>>>> passar...o q nao está acontecendo...ele ta barrando no "block" (de 
>>>> acordo com o pflog)...
>>>>
>>>> Se eu tirar o "port $portas" da regra, ela passa a funcionar...mas 
>>>> libera tudo...ja tentei colocar as portas diretas sem lista, so 
>>>> algumas portas...e nada...
>>>>
>>>> Alguma luz no fim do tunel? hehe
>>>>
>>>> Abracos,
>>>>
>>>> Fabiano Heringer
>>>>
>>>>
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>>     
>>>>         
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>> __________ NOD32 2214 (20070424) Information __________
>>>
>>> This message was checked by NOD32 antivirus system.
>>> http://www.eset.com
>>>
>>>
>>>
>>>   
>>>       
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>>     
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> __________ NOD32 2215 (20070424) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>   



Mais detalhes sobre a lista de discussão freebsd