[FUG-BR] IPFW VS SMTP e POP
Bruno Torres Viana
btviana em gmail.com
Terça Janeiro 5 12:41:50 BRST 2010
ifconfig (re1=LAN re2=WAN)
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:1d:7d:0d:25:80
inet 192.168.25.4 netmask 0xffffff00 broadcast 192.168.25.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
re2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:1d:0f:be:93:e5
inet 192.168.1.64 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
netstat -nr
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 11 17360 re2
127.0.0.1 link#4 UH 0 12 lo0
192.168.1.0/24 link#3 U 0 241 re2
192.168.1.64 link#3 UHS 0 114 lo0
192.168.25.0/24 link#2 U 4 30202 re1
192.168.25.4 link#2 UHS 0 0 lo0
ipfw show
00005 63367 23159498 allow log ip from any to any via re1
00010 32 1920 allow log ip from any to any via lo0
00015 0 0 check-state
00110 0 0 allow log tcp from any to 192.168.1.1 dst-port 53 out
via re2 setup keep-state
00111 412 42103 allow log udp from any to 192.168.1.1 dst-port 53 out
via re2 keep-state
00112 409 20724 allow log tcp from 192.168.25.23 to any out via re2
setup keep-state
00113 0 0 allow log tcp from 192.168.25.23 to any out via re0
setup keep-state
00200 29123 13793875 allow log tcp from any to any dst-port 80 out via re2
setup keep-state
00220 1048 431997 allow log tcp from any to any dst-port 443 out via re2
setup keep-state
00230 0 0 allow log tcp from any to any dst-port 25 via re2 setup
keep-state
00231 0 0 allow log tcp from any to any dst-port 110 via re2
setup keep-state
00240 0 0 allow log tcp from me to any out via re0 setup uid root
keep-state
00250 0 0 allow log icmp from any to any out via re0 keep-state
00251 8 672 allow log icmp from any to any out via re2 keep-state
00260 0 0 allow log tcp from any to any dst-port 37 out via re2
setup keep-state
00280 0 0 allow log tcp from any to any dst-port 22 out via re2
setup keep-state
00281 0 0 allow log tcp from any to any dst-port 22 out via re0
setup keep-state
00290 0 0 allow log tcp from any to any dst-port 43 out via re2
setup keep-state
00299 1754 124034 deny log ip from any to any out via re2
00300 0 0 deny log ip from any to any out via re0
00301 0 0 deny log ip from 172.16.0.0/12 to any in via re0
00302 0 0 deny log ip from 10.0.0.0/8 to any in via re0
00303 0 0 deny log ip from 127.0.0.0/8 to any in via re0
00304 0 0 deny log ip from 0.0.0.0/8 to any in via re0
00305 0 0 deny log ip from 169.254.0.0/16 to any in via re0
00306 0 0 deny log ip from 192.0.2.0/24 to any in via re0
00307 0 0 deny log ip from 204.152.64.0/23 to any in via re0
00308 0 0 deny log ip from 224.0.0.0/3 to any in via re0
00310 29 1044 deny log icmp from any to any in via re2
00310 20 1280 deny log icmp from any to any in via re0
00315 0 0 deny log tcp from any to any dst-port 113 in via re2
00315 0 0 deny log tcp from any to any dst-port 113 in via re0
00320 0 0 deny log tcp from any to any dst-port 137 in via re2
00321 0 0 deny log tcp from any to any dst-port 138 in via re2
00322 0 0 deny log tcp from any to any dst-port 139 in via re2
00323 0 0 deny log tcp from any to any dst-port 81 in via re2
00324 0 0 deny log tcp from any to any dst-port 137 in via re0
00325 0 0 deny log tcp from any to any dst-port 138 in via re0
00326 6 296 deny log tcp from any to any dst-port 139 in via re0
00327 0 0 deny log tcp from any to any dst-port 81 in via re0
00330 0 0 deny log ip from any to any frag in via re2
00331 0 0 deny log ip from any to any frag in via re0
00332 286 14488 deny log tcp from any to any established in via re2
00333 0 0 deny log tcp from any to any established in via re2
00410 0 0 allow log tcp from any to me dst-port 22 in via re2
setup limit src-addr 2
00411 0 0 allow log tcp from any to me dst-port 22 in via re0
setup limit src-addr 2
00420 0 0 allow log tcp from any to me dst-port 23 in via re2
setup limit src-addr 2
00499 631 30860 deny log ip from any to any in via re2
00999 20 1317 deny log ip from any to any
65535 0 0 deny ip from any to any
2010/1/5 Nilson <nilson em forge.com.br>
> 2010/1/5 Bruno Torres Viana <btviana em gmail.com>:
> > Nilson,
> >
> > re1 é minha LAN, acredito que este pacote tem que passar mesmo...
> > Em fim, não tenho muita intimidade com ipfw se puder ajudar..
>
> Claro, por acaso nao tem chance de ser esse bloqueio na porta 25
> que os provedores estao implantando devido a determinacao do CGI-br?
>
> Mande mais dados:
>
> # ifconfig
> # netstat -nr
> # ipfw show
>
> --
> Nilson
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
--
-------------------------------
Bruno Torres Viana
Analista de Segurança da Informaçao
Contato: (27) 8823-0751
Todos nós somos ignorantes, porém em assuntos diferentes. Não seja ignorante
por opção!
Mais detalhes sobre a lista de discussão freebsd