[FUG-BR] pf e ipfw juntos.

Cabral Bandeira ibandeira em me.com
Domingo Julho 17 16:51:09 BRT 2011


Olá, eu estou usando o pf como firewall padrão e o ipfw para controle de banda ACK, acontece que não navega com os 2 ativados, somente o ping funciona. Se eu faço pfctl -F all o internet funciona normal. Como resolver?

Meu uso é como desktop, com o MacBook e OS X Lion. Não tem Suporte a ALTQ. 

No ipfw uso o http://intrarts.com/throttled.html

Aprendi pf em uma hora :) Acho que aprendi creio eu. 

Mas gostaria de saber se preciso melhorar algo. Se abaixo.

set block-policy drop
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo0
set debug none
set limit frags 4096
set state-policy floating
set require-order yes

if = "en1"
scrub in all

# Quebra pacotes mal formados
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
antispoof for $if inet

#icmp_types="echoreq"

block in
pass out

# loopback is good
pass in quick on lo0 all
pass out quick on lo0 all

antispoof quick for $if inet

# allow icmp
#pass in inet proto icmp all icmp-type $icmp_types 

block in on $if inet proto icmp from ! 192.168.1.5 to any icmp-type 8 code 0

# allow dns queries
pass out on $if proto udp from any to any port 53 

# pass http traffic
pass out on $if proto tcp from $if to any port 80 flags S/SA 

# pass ftp traffic
pass out on $if proto tcp from $if to any port { 21 , 20 } flags S/SA 

pass in quick inet proto { tcp, udp } from any to any port = 16000 
pass out quick inet proto { tcp, udp } from any to any port = 16000
pass in quick inet proto { tcp, udp } from any to any port = 16003 
pass out quick inet proto { tcp, udp } from any to any port = 16003
pass in quick inet proto { tcp, udp } from any to any port = 51413 
pass out quick inet proto { tcp, udp } from any to any port = 51413
pass in quick inet proto { tcp, udp } from any to any port = 38772 
pass out quick inet proto { tcp, udp } from any to any port = 38772

pass in quick inet proto udp from any to any port = 123 
pass out quick inet proto udp from any to any port = 123
pass in quick inet proto udp from any to any port = 192 
pass out quick inet proto udp from any to any port = 192
pass in quick inet proto tcp from any to any port = 443 
pass out quick inet proto tcp from any to any port = 443
pass in quick inet proto tcp from any to any port = 548 
pass out quick inet proto tcp from any to any port = 548
pass in quick inet proto udp from any to any port = 5353 
pass out quick inet proto udp from any to any port = 5353

# Ativa a proteção contra falsificações para todas as interfaces
block in quick from urpf-failed

# block scans com nmap
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $if from any os { NMAP } 

pass on lo0 all

-----
Cabral Bandeira






Mais detalhes sobre a lista de discussão freebsd