[FUG-BR] tcpdump e pflog0 com poucos dados

Enio Marconcini eniorm em gmail.com
Sexta Novembro 20 14:07:21 BRST 2009


2009/11/20 Giancarlo Rubio <gianrubio em gmail.com>

> poste seu pf.conf inteiro
>
> --
> Giancarlo Rubio
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



aí vai


## MACROS
nic_interna = "re1"
nic_externa = "re2"
rede_interna = "192.168.0.0/24"
rede_wireless = "192.168.10.0/24"
table <redes> persist { $rede_interna $rede_wireless }
table <ips_autorizados> persist { X.Y.Z.T }

## OPCOES
set skip on lo0
set block-policy drop
#set loginterface pflog0
scrub in all
###
nat on $nic_externa from <redes> to any -> ($nic_externa)
# nat para ftp
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $nic_interna inet proto tcp from any to port 21 -> 127.0.0.1 port
8021

## REGRAS
# bloqueia tudo por padrao
block log all
# ftp
anchor "ftp-proxy/*"

# libera saida externa
pass out log on $nic_externa inet proto tcp from any to any flags S/SA
modulate state
pass out log on $nic_externa inet proto udp from any to any keep state

# libera saida interna
pass out quick log on $nic_interna inet proto tcp from any to any flags S/SA
modulate state
pass out quick log on $nic_interna inet proto udp from any to any keep state

# libera ICMP
pass inet proto icmp from any to any keep state

# permite acesso externo dos ips autorizados ao WebMin
pass in quick log on $nic_externa inet proto tcp from <ips_autorizados> to
($nic_externa) flags S/SA modulate state
pass in quick log on $nic_interna inet proto tcp from any to any flags S/SA
modulate state

# permite acesso ssh de fora e interno
pass in quick log on $nic_externa inet proto tcp from <ips_autorizados> to
($nic_externa) port 65022 flags S/SA modulate state
pass in quick log on $nic_interna inet proto tcp from any to any port 65022
flags S/SA modulate state

# permite acesso named de fora e interno
pass in quick on {$nic_externa $nic_interna} inet proto tcp from any to any
port 53 flags S/SA modulate state
pass in quick on {$nic_externa $nic_interna} inet proto udp from any to any
port 53 keep state

# porta 80 interno e externo
pass in quick on $nic_externa inet proto tcp from any to any port 80 flags
S/SA modulate state
pass in quick on $nic_interna inet proto tcp from any to ($nic_interna) port
80 flags S/SA modulate state

# porta 443 interno
pass in quick on $nic_interna inet proto tcp from any to any port 443 flags
S/SA modulate state

# libera ftp interno e externo
pass in quick on {$nic_externa $nic_interna} inet proto tcp from any to any
port {20 21} flags S/SA modulate state
pass in quick on {$nic_externa $nic_interna} inet proto udp from any to any
port {20 21} keep state
pass in quick on $nic_interna inet proto tcp from any to any port 8021 flags
S/SA modulate state
pass in quick on $nic_externa inet proto tcp from any to any port > 49151
flags S/SA modulate state

# smb interno
pass in quick log on $nic_interna inet proto tcp from any to any port {445
139} flags S/SA modulate state
pass in quick log on $nic_interna inet proto udp from any to any port {137
138} keep state

# squid interno
pass in quick on $nic_interna inet proto tcp from any to any port 3128 flags
S/SA modulate state

# portas de email
pass quick inet proto tcp from any to any port {25 110} flags S/SA modulate
state
pass quick inet proto udp from any to any port {25 110} keep state


# EOF




-- 
ENIO RODRIGO MARCONCINI
gtalk: eniorm em gmail.com
skype: eniorm
msn: /dev/null

> FreeBSD -:- OpenBSD -:-
> Coleções Marcas de Cigarros
< Obi-Wan has taught you well....


Mais detalhes sobre a lista de discussão freebsd