[FUG-BR] Regras de PF para firewall simples

Quinta Maio 15 18:17:00 BRT 2008

Galera, montei essas regras no pf para um firewall bem simples mas nÃ£o
estou conseguindo acessar o ssh pela rede interna, alguÃ©m pode me dizer
que cagada eu fiz?

#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="vr0"  # External interface firewall eg {fxp0}
int_if="rl0"  # Internal interface firewall eg {fxp1}
vpn_if="tun0" # OpenVPN interface firewall

internal_net="10.0.0.0/24"
webserver="10.0.0.2"

# ----- options -----
set block-policy return
set loginterface $vpn_if
set optimization aggressive
set skip on lo

# ----- scrub -----
scrub in

# ----- nat/rdr -----
nat on $ext_if from $internal_net to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $ext_if proto tcp from any to any port ftp -> $webserver
port 21    # proxy ftp
rdr pass on $ext_if proto tcp from any to any port www -> $webserver
port 80    # apache
rdr pass on $int_if proto tcp from any to any port www -> 127.0.0.1 port
3128   # squid

# rdr on $ext_if proto tcp from any to any port www -> $webserver

# table <spamd-white> persist
# no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
# rdr pass on $ext_if proto tcp from any to any port smtp -> $webserver
port spamd

# ----- protections -----

block in log all
block out log all

# block from privates networks
block in log quick on $ext_if from 10.0.0.0/8 to any 
block in log quick on $ext_if from 127.0.0.0/8 to any
block in log quick on $ext_if from 172.16.0.0/12 to any 
block in log quick on $ext_if from 192.168.0.0/16 to any 

# anti-spoof
antispoof for { lo $ext_if $int_if }

# block scanners
block drop in quick on { $ext_if } from any os { NMAP }

# block brute-force
table <brute> persist
block log quick from <brute>
pass in on $ext_if proto tcp from any to any port ssh keep state
( max-src-conn-rate 5/1 overload <brute> flush global )

# block returns
block return-rst in quick proto tcp from any to any
block return-icmp in quick proto udp from any to any

# block IDS/IPS 
block log quick on $ext_if from <badHosts> to any 
block log quick on $ext_if from any to <badHosts> 

# ----- filter rules -----

anchor "ftp-proxy/*"

pass out keep state

pass in on $ext_if proto tcp from any to ( $ext_if ) port { ssh, auth }
flags S/SA keep state
pass in on $ext_if proto tcp from any to $webserver port www flags S/SA
synproxy state

icmp_types="echoreq"
pass in inet proto icmp all icmp-type $icmp_types keep state

# CARP/PFSYNC 
# pass quick proto carp 
# pass quick proto pfsync 

pass in quick on $int_if
pass in quick on $vpn_if

-  
Sergio Augusto Vladisauskis
-> Analista de Sistemas e Administrador de Rede
-> JaboatÃ£o dos Guararapes - PE
-> Fone: +55 81 3468 6301
-> Celular: +55 81 9288 2803
-> Skype: sergiovl-work
-> Registered Linux User: 305281

-------------- Próxima Parte ----------
Um anexo nÃ£o texto foi limpo...
Nome  : nÃ£o disponÃvel
Tipo  : application/pgp-signature
Tam   : 197 bytes
Descr.: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem
	assinada digitalmente
Url   : http://www.fug.com.br/historico/html/freebsd/attachments/20080515/1352c924/attachment.bin 