[FUG-BR] Praticas de Segurança para FreeBSD com DNS

[Cristina Fernandes Silva]

Galera,

segue minhas regras de IPFW para o meu dns. gostaria da analise de vcs
e sugestões..

Adicionei a regra do Guto.
ipfw add allow udp from me 1024-65535 to any 53 out keep-state uid bind.

Obrigada..

///////////////////////////////////////////////////////////////////////
#!/bin/sh

fwcmd="/sbin/ipfw -q"

oif="fxp0"
onet="200.X.X.0"
omask="255.255.255.192"
oip="200.X.X.X.2"

${fwcmd} -f flush

${fwcmd} add check-state

# Libera acesso via SSH porta 3456
${fwcmd} add pass tcp from any to ${oip} 3456 setup

# Libera ping
${fwcmd} add allow icmp from any to any via ${oif}

# Libera consulta DNS
${fwcmd} add pass tcp from any to any 53 setup
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
${fwcmd} add pass udp from any to any 53 keep-state
${fwcmd} add allow udp from me 1024-65535 to any 53 out keep-state uid bind.

#Libera porta 80 para atualizações via fetch.
${fwcmd} add pass tcp from any to any 80 keep-state

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Bloqueia IP spoofing
${fwcmd} add deny all from ${onet}:${omask} to any in via ${oif}

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Bloqueia pacotes com opcoes de Source Routing e Record
#Route do Cabecalho IP ativadas.
${fwcmd} add deny tcp from any to any ipoptions ssrr,lsrr,rr

#bloquear 5% dos pacotes de entrada, como se houvesse perda de pacotes
${fwcmd} add prob 0.05 deny in

#Qualquer outro trafego sera bloqueado e logado no arquivo de log
${fwcmd} add deny src-ip ${oip} via ${oif} keep-state

#Bloqueia Tudo
${fwcmd} add 65530 deny ip from any to any

/////////////////////////////////////////////////////////////////////////////////////