[FUG-BR] Firewall com prioridade para Navegação
Gustavo Freitas
gst.freitas em gmail.com
Segunda Novembro 8 12:50:25 BRST 2010
Pessoal,
Estou com iniciando no BSD e implementei um firewall usando PF, objetivo dele é
somente controlar e dar prioridade para navegação na internet com uma
reserva de banda
de 80%, sem controle de trafego e nem bloqueio de portas.
Gostaria da opinião de você e se esta correto..
int_if = "rl0"
ext_if = "vr0"
unsafe = "{ rl0, vr0 }"
int_net = "10.0.0.0/8"
int_alias = "10.10.0.0/16"
set loginterface $int_if
set skip on lo
match in all scrub (no-df)
nat on $ext_if from !($ext_if) -> ($ext_if:0)
antispoof quick for { lo $int_if }
set block-policy return
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
altq on $ext_if cbq bandwidth 512Kb queue { def, http }
queue def bandwidth 20% cbq(default borrow red)
queue http bandwidth 80% cbq(borrow red)
pass in quick on $ext_if proto tcp from any to any port { 80, 443 } flags S/SA \
keep state queue http
# block in traffic from private networks on external interface
block drop in quick on $ext_if from $int_alias to any
# block out traffic to private networks on external interface
block drop out quick on $ext_if from any to $int_alias
antispoof quick for { lo $int_if }
block in quick on $ext_if proto tcp from <sshguard> to any port 22
label "ssh bruteforce"
# SSH connection
pass in log on $int_if inet proto tcp from $int_net to { $int_if
$ext_if } port ssh
pass out log on $int_if inet proto tcp from $int_if to any port ssh
# DNS queries
pass in log on $int_if proto { tcp udp } from $int_net to $ext_if port
{ domain bootps }
# ping
block in log on $int_if proto icmp from $int_alias to $int_alias
# File sharing applications
pass in log on $int_if proto { tcp udp } from $int_net to any port socks
--
Gustavo Freitas
Mais detalhes sobre a lista de discussão freebsd